New OpenSSL Vulnerability

mzimmerman · November 1, 2022, 2:44pm

A new OpenSSL vulnerability was published today and I’m unclear if it might affect my application that uses ComponentSpace’s SAML SSO library. The vulnerability relates to name constraint checking during certificate validation. See official description here - https://www.openssl.org/news/secadv/20221101.txt. Please advise.

ComponentSpace · November 1, 2022, 3:04pm

We don’t directly or indirectly use OpenSSL so there shouldn’t be any impact.

mzimmerman · November 1, 2022, 3:07pm

[quote]

ComponentSpace - 11/1/2022

We don't directly or indirectly use OpenSSL so there shouldn't be any impact.

[/quote]

Thanks for the quick reply! So no concerns about validating certs that were created using OpenSSL either?

ComponentSpace · November 1, 2022, 3:20pm

No. I don’t believe so. This buffer overrun bug was in the OpenSSL code and is specific to their implementation.

We’re waiting to see if there are any announcements from Microsoft.

What operating system(s) are you using for your deployments?

mzimmerman · November 2, 2022, 7:17am

[quote]

ComponentSpace - 11/1/2022

No. I don't believe so. This buffer overrun bug was in the OpenSSL code and is specific to their implementation.

We're waiting to see if there are any announcements from Microsoft.

What operating system(s) are you using for your deployments?

[/quote]

Certs were created in a Windows desktop environment. Application is deployed on Ubuntu.

ComponentSpace · November 2, 2022, 1:49pm

I suggest checking that Ubuntu isn’t using a vulnerable version of OpenSSL.