2022-11-01 - High Severity Vulnerability in OpenSSL
Last updated: 2022-11-01
Introduction
OpenSSL in versions after 3 and before 3.0.7 are potentially vulnerable against CVE-2022-3786 and CVE-2022-3602.
In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Wire applications perform such requests to TLS servers and Wire-Servers may also accept connections authenticated by client certificates.
Are Wire installations affected?
Wire/wire-server (<= 2022-10-04) is not affected by this vulnerability. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.
Only OpenSSL version 3 is affected, all wire-server components use OpenSSL 1.1.1.
Are Wire clients affected?
Wire clients are not affected by this vulnerability.
Wire clients for Android (<= 3.82.38) and iOS (<= 3.106) and don’t use OpenSSL. These Wire clients use only libsodium for cryptographic operations.
The Wire Webapp (<= 2022.10.12.08.31) and Desktop (<= 3.29) clients make use of OpenSSL 1.1.1 but not OpenSSL 3.
Further information
CVE-2022-3602 was initialy rated critical and then downgaded to high
Additional details can be found in the Security Advisory of OpenSSL