Please report any potential security issues to <open-horizon-security@lists.lfedge.org>. This will notify the core project team who will respond accordingly.

• On November 1 2022, the OpenSSL community released OpenSSL 3.0.7 which detailed two vulnerability alerts; CVE-2022-3786 and CVE-2022-3602. Both high severity CVE alerts related to x.509 certificate verification buffer overruns.
  • Open Horizon is not affected by these CVE security alerts
    • Open Horizon uses TLS encryption in the anax / exchange / css / vault / SDO components via the Go crypto/tls library.
    • Several Open Horizon components use the OpenSSL 1.x command line utilities to generate x.509 certificates / keys within containers and for testing.
    • Only the Open Horizon Exchange UBI9 based container includes the OpenSSL 3.0.x package to generate x.509 certificates. This usage is not affected by the CVE alerts resolved by OpenSSL 3.0.7
    • In the abundance of caution, the Exchange UBI9 container with the recently released OpenSSL 3.0.7 package will be rebuilt. That work is being tracked by Exchange API Issue #650

[comment]: <> - Open Horizon users can upgrade by pulling v2.87.4+ from the latest released branch or anything v2.102.0+ from the master branch.