Okta’s Response to OpenSSL Security Update

The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6).

The two CVE’s are listed below:

• CVE-2022-3602
• CVE-2022-3786

Response

Okta’s engineering teams have applied patches and other mitigations, where required.

Customer Guidance

For both CVEs, the severity level has been listed as “high” and the following information has been made available:

• OpenSSL versions 3.0.0 to 3.0.6 are vulnerable.
• OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
• OpenSSL 1.1.1 and 1.0.2 are not affected.

Okta has assessed that Version 2022.10.0 of the Okta Access Gateway uses an impacted version of OpenSSL. Please see our advisory.

Update: OAG version 2022.11.0 is now available with an updated version of OpenSSL 3.0.7.

Changelog

• December 1, 2022, 01:37 UTC - updated to reflect patches and mitigations have been applied.
• November 4, 2022, 23:36 UTC - Updated to reflect new OAG version available.
• November 1, 2022, 03:59 UTC - A previous version of this post noted that the OpenSSL Project evaluated one of the vulnerabilities as “Critical”. This has since been downgraded by OpenSSL to “High”.