High vulnerabilities in OpenSSL (CVE-2022-3602 & CVE-2022-3786)
Incident Report for Aptible
This incident has been resolved.
Posted Nov 03, 2022 - 09:53 EDT
OpenSSL's pre-announcements of CVE-2022-3602 described this issue as CRITICAL but has since been downgraded to HIGH [0]. Aptible remains unaffected by this vulnerability. We still recommend every Aptible customer check the OpenSSL versions used in their apps to confirm they're unaffected. Please follow the aforementioned steps to check the version and update OpenSSL accordingly.

Additional Context & Guidance from OpenSSL: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

[0] https://www.openssl.org/news/secadv/20221101.txt
Posted Nov 01, 2022 - 13:21 EDT
OpenSSL has announced a critical vulnerability [0] for which a patch will be released tomorrow, November 1, 2022 between 13:00 and 17:00 UTC. The nature of the vulnerability has not been disclosed, but based on how it's being handled, Aptible expects it could be a serious vulnerability affecting data confidentiality for those running affected OpenSSL versions (>= 3.0.0, < 3.0.7).

Aptible has reviewed all infrastructure components that we manage and have confirmed that all are unaffected by this vulnerability. These components include:

- Our Managed TLS endpoints
- The TLS endpoints for our REST API services (Auth and Deploy APIs)
- All versions of our managed databases
- Our log forwarding infrastructure
- Our metrics collection infrastructure
- Our SSH and Git server infrastructure

Still, every Aptible customer should check the OpenSSL versions used in their apps to confirm they're unaffected. To do so, run:

$ aptible ssh --app $APP_HANDLE openssl version

If the version is >= 3.0.0, you should plan to upgrade your apps' Docker image(s) tomorrow as soon as OpenSSL 3.0.7 is released.

We will continue to update this incident page as more information is revealed about the vulnerability. If the vulnerability is only exploitable for *server-side* OpenSSL functionality, the impact to Aptible customers would be significantly reduced. Only those customers who use plain TCP endpoints [1] with their own OpenSSL for TLS termination would be affected in this scenario.

[0] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
[1] https://deploy-docs.aptible.com/docs/tcp-endpoints
Posted Oct 31, 2022 - 16:21 EDT