HCSEC-2022-27 - HashiCorp Response to OpenSSL Security Announcement Regarding November 1 Release

jfinnigan · October 28, 2022, 10:37pm

Bulletin ID: HCSEC-2022-27
Affected Products / Versions: None known at this time.
Publication Date: October 28, 2022

Summary
HashiCorp is aware of the OpenSSL team’s announcement of an upcoming release with a critical security vulnerability.

Background
The OpenSSL team has announced that a “critical” vulnerability (as defined in OpenSSL security policy) impacting OpenSSL 3.x will be fixed in the OpenSSL 3.0.7 release scheduled for Tuesday, November 1, 2022.

Details
Generally, HashiCorp products and services are built using the Go language and ecosystem, and do not heavily utilize OpenSSL. When more information is available, we’ll investigate and take action as appropriate.

More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products & cloud services from a range of vendors across our business. Again, when more information is available, we will systematically evaluate these for exposure and take remediation action as appropriate.

Remediation
None necessary at this time. This bulletin will be updated if this situation changes.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.

jfinnigan · November 1, 2022, 2:30pm

Update Regarding Golang Release Announcement (November 1, 2022)

We had earlier noted that on October 26th the Golang team had also pre-announced a November 1 release with undisclosed security fixes, which may indicate a coordinated vulnerability disclosure and/or related issue. However, on October 31 they explicitly stated that these releases are unrelated.

jfinnigan · November 1, 2022, 8:25pm

Update Regarding OpenSSL Release Announcement and Advisory (November 1, 2022)

The OpenSSL team disclosed CVE-2022-3602 and CVE-2022-3786 with a security advisory and related blog post. Both vulnerabilities were associated with OpenSSL 3.0’s X.509 certificate email address processing functionality and were classified as “high” severity, with one downgraded from “critical”.

Initial response and investigation activities associated with this security issue have been completed.

There was no exposure identified for HashiCorp products / services, including HashiCorp open source software, HashiCorp enterprise software, and HashiCorp cloud services.

Given OpenSSL’s broad usage across the broader technology ecosystem, we will continue to monitor for exposure of HashiCorp’s products / services and third party components / systems and take appropriate remediation actions.