2022-11-01 - High Severity Vulnerability in OpenSSL

Last updated: 2022-11-01

Introduction

OpenSSL in versions after 3 and before 3.0.7 are potentially vulnerable against CVE-2022-3786 and CVE-2022-3602.

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Wire applications perform such requests to TLS servers and Wire-Servers may also accept connections authenticated by client certificates.

Are Wire installations affected?

Wire/wire-server (<= 2022-10-04) is not affected by this vulnerability. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.

Only OpenSSL version 3 is affected, all wire-server components use OpenSSL 1.1.1.

Are Wire clients affected?

Wire clients are not affected by this vulnerability.

Wire clients for Android (<= 3.82.38) and iOS (<= 3.106) and don’t use OpenSSL. These Wire clients use only libsodium for cryptographic operations.

The Wire Webapp (<= 2022.10.12.08.31) and Desktop (<= 3.29) clients make use of OpenSSL 1.1.1 but not OpenSSL 3.

Further information

• CVE-2022-3602 was initialy rated critical and then downgaded to high

• Additional details can be found in the Security Advisory of OpenSSL