OpenSSL - Pending Vulnerability Announcement

Incident
01 November 2022, 16:50 UTC

OpenSSL - Pending Vulnerability Announcement

Status: closed
Start: 28 October 2022, 19:49 UTC
End: 01 November 2022, 16:50 UTC
Duration: 3 days 21 hours 1 minute
Affected Components:
Security Agents and Module Security Console & API Cloud WAF Fastly WAF (Legacy) Next-Gen WAF (NGWAF) Agent Downloads Data Services Dashboard Data Rule and IP List updates Rate Limiting and Alerts Rule Processing Requests Signals Dashboard
Affected Groups:
All Public Users
Update

28 October 2022, 19:49 UTC

28 October 2022, 19:49 UTC

Fastly is aware of an expected critical vulnerability the OpenSSL project is expected to disclose in the near future. We are studying the currently available information surrounding this vulnerability and do not currently believe that Signal Sciences is vulnerable. We will continue to monitor as additional information is released and will provide our customers with more information as available.

Resolved

01 November 2022, 16:50 UTC

01 November 2022, 16:50 UTC

Fastly has reviewed the initial notification from OpenSSL regarding CVE-2022-3786 and CVE-2022-3602. We have analyzed the versions of OpenSSL in use at Fastly, and verified that we do not use OpenSSL 3.x. Fastly and customer usage of Fastly services are not vulnerable to CVE-2022-3786 or CVE-2022-3602.