Okta Access Gateway Advisory for CVE-2022-3602 and CVE-2022-3786
Description
On November 1, 2022 the OpenSSL organization disclosed two high-severity vulnerabilities in version 3.0 and above which are patched in OpenSSL 3.0.7. Okta has investigated the usage of the vulnerabilities and will continue to assess the potential impact to our dependencies and third parties.
Okta Access Gateway has been found to use the OpenSSL 3.0 codebase since the release of 2022.10.0. Customers that have not yet updated to 2022.10.0 should refrain from updating to 2022.10.0 which contains OpenSSL 3.0 until an updated version is available.
Okta Access Gateway customers who have updated to 2022.10.0 will be provided an updated version 2022.11.0 as soon as possible. Currently estimated to be available on 11/04/2022.
Affected product and versions
Product | Impacted Versions | Notes |
Okta Access Gateway | 2022.10.0 | Customers that have not yet updated to 2022.10.0 should not update to 2022.10.0 |
Resolution
OAG version 2022.11.0 is now available with an updated version of OpenSSL 3.0.7.