Okta’s Response to OpenSSL Security Update
The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6).
The two CVE’s are listed below:
Okta’s engineering teams have applied patches and other mitigations, where required.
For both CVEs, the severity level has been listed as “high” and the following information has been made available:
- OpenSSL versions 3.0.0 to 3.0.6 are vulnerable.
- OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
- OpenSSL 1.1.1 and 1.0.2 are not affected.
Okta has assessed that Version 2022.10.0 of the Okta Access Gateway uses an impacted version of OpenSSL. Please see our advisory.
Update: OAG version 2022.11.0 is now available with an updated version of OpenSSL 3.0.7.
- December 1, 2022, 01:37 UTC - updated to reflect patches and mitigations have been applied.
- November 4, 2022, 23:36 UTC - Updated to reflect new OAG version available.
- November 1, 2022, 03:59 UTC - A previous version of this post noted that the OpenSSL Project evaluated one of the vulnerabilities as “Critical”. This has since been downgraded by OpenSSL to “High”.