Update Regarding OpenSSL Release Announcement and Advisory (November 1, 2022)
The OpenSSL team disclosed CVE-2022-3602 and CVE-2022-3786 with a security advisory and related blog post. Both vulnerabilities were associated with OpenSSL 3.0’s X.509 certificate email address processing functionality and were classified as “high” severity, with one downgraded from “critical”.
Initial response and investigation activities associated with this security issue have been completed.
There was no exposure identified for HashiCorp products / services, including HashiCorp open source software, HashiCorp enterprise software, and HashiCorp cloud services.
Given OpenSSL’s broad usage across the broader technology ecosystem, we will continue to monitor for exposure of HashiCorp’s products / services and third party components / systems and take appropriate remediation actions.