# 2022-11-01 - High Severity Vulnerability in OpenSSL

Last updated: 2022-11-01

## Introduction
OpenSSL in versions after 3 and before 3.0.7 are potentially vulnerable against CVE-2022-3786 and CVE-2022-3602.

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
Wire applications perform such requests to TLS servers and Wire-Servers may also accept connections authenticated by client certificates.

## Are Wire installations affected?

**Wire/wire-server (<= 2022-10-04) is not affected by this vulnerability.** Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.

Only OpenSSL version 3 is affected, all wire-server components use OpenSSL 1.1.1.

## Are Wire clients affected?

**Wire clients are not affected by this vulnerability.**

Wire clients for **Android** (<= 3.82.38) and **iOS** (<= 3.106) and don’t use OpenSSL. These Wire clients use only libsodium for cryptographic operations.

The Wire **Webapp** (<= 2022.10.12.08.31) and **Desktop** (<= 3.29) clients make use of OpenSSL 1.1.1 but not OpenSSL 3.

## Further information
* CVE-2022-3602 was initialy rated *critical* and then downgaded to *high*
* Additional details can be found in the [Security Advisory of OpenSSL](https://www.openssl.org/news/secadv/20221101.txt)