Published: November 1, 2022 2:30 PM PST
Last Updated: November 1, 2022 2:30 PM PST (See Changelog below)
Background
CVE-2022-3786 and CVE-2022-3602 were made public on 11/01/2022 and rated as High severity vulnerabilities in OpenSSL versions 3.0.0 - 3.0.6, a commonly used cryptography and SSL/TLS toolkit. Successful exploitation of these vulnerabilities could result in a crash (causing a denial of service) or potentially remote code execution according to the original advisory. We were aware of its impending release, prepared a full software inventory prior to the advisory publication, and analyzed the impact once the vulnerability details were made available.
Please note that the use of OpenSSL versions 1.1.1 and 1.0.2 are NOT affected by these vulnerabilities.
Impact to Confluent Cloud
Confluent has not identified any exposure to these vulnerabilities in Confluent Cloud.
Impact to Confluent Platform
Confluent Platform is not impacted by these vulnerabilities as the use of OpenSSL is limited to the OS layer of the component images. Confluent Platform images are built upon RedHat’s UBI 8 image that is not affected by these vulnerabilities.
Impact to Confluent for Kubernetes
Confluent has not identified any exposure to this vulnerability in Confluent for Kubernetes, as OpenSSL is not used in CFK images.
Impact to Connectors
Confluent has not identified any exposure to this vulnerability in Confluent-supported connectors, as OpenSSL is not used.
Impact to Community/Standalone Package of ksqlDB
Confluent has not identified any exposure to this vulnerability in the community version of ksqlDB, as it does not leverage OpenSSL packages.
Impact to Confluent Platform Community Components
Confluent has not identified any exposure to this vulnerability in the community version of ksqlDB, as it does not leverage OpenSSL packages.
Changelog
- November 1, 2022 2:30 PM PST
- Initial publication for Confluent Platform and Confluent Cloud customers