Bulletin ID: HCSEC-2022-27
Affected Products / Versions: None known at this time.
Publication Date: October 28, 2022
Summary
HashiCorp is aware of the OpenSSL team’s announcement of an upcoming release with a critical security vulnerability.
Background
The OpenSSL team has announced that a “critical” vulnerability (as defined in OpenSSL security policy) impacting OpenSSL 3.x will be fixed in the OpenSSL 3.0.7 release scheduled for Tuesday, November 1, 2022.
Details
Generally, HashiCorp products and services are built using the Go language and ecosystem, and do not heavily utilize OpenSSL. When more information is available, we’ll investigate and take action as appropriate.
More broadly, beyond HashiCorp’s core products and services, HashiCorp utilizes software products & cloud services from a range of vendors across our business. Again, when more information is available, we will systematically evaluate these for exposure and take remediation action as appropriate.
Remediation
None necessary at this time. This bulletin will be updated if this situation changes.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.