OpenSSL 3.0.x high severity vulnerabilities CVE-2022-3786 and CVE-2022-3602

Potentially Impacted Products: IdentityNow (IDN), IdentityAI (IAI), and IDN Virtual Appliance (VA)

SailPoint has reviewed the currently available information on the recently announced OpenSSL vulnerabilities (CVE-2022-3786 and CVE-2022-3602) and determined that some SailPoint products use versions of OpenSSL that are impacted by these vulnerabilities.

Exploiting these 2 vulnerabilities requires that applications continue certificate validation despite failure to construct a path to a trusted issuer or for the Certificate Authority (CA) to have signed a malicious certificate, neither of which is applicable to IDN, IAI, or the VA, unless customers configure their client authentication to continue certificate validation despite failure to construct a path to a trusted issuer. Out of an abundance of caution, all SailPoint products that use a vulnerable version of OpenSSL 3.0.x are targeted to be upgraded to use OpenSSL 3.0.7 within the SailPoint-established SLAs for high severity vulnerabilities.

Other SailPoint products such as IdentityIQ, Cloud Access Manager, File Access Manager, Access Risk Management, and SaaS Management are not impacted.

If you have questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager.

1 Like

Hi @derek_putnam,

Speaking of CVE’s, do you have any information as to CVE-2022-42889 and its potential impact in relation to IdentityIQ’s use of Apache Commons Text 1.9? I haven’t seen anything about it on Compass or here.

1 Like

Hey @WillPanic, good looking out!

IdentityIQ does not use the capability of this library that exposes this vulnerability in the SailPoint provided application or 3rd party code. Any customer provided rules, scripts, or java classes will need to be inspected to determine if this vulnerable functionality is used. SailPoint will upgrade commons-text-1.9.jar library in upcoming versions to avoid false positive alerts. This can be tracked by ETN IIQETN-10711.

Alright sounds good, I’ll pass the information on internally.

Thank you for the timely response!

1 Like