HomepageOkta logo

Okta Access Gateway Advisory for CVE-2022-3602 and CVE-2022-3786

View all security advisories

Description

On November 1, 2022 the OpenSSL organization disclosed two high-severity vulnerabilities in version 3.0 and above which are patched in OpenSSL 3.0.7.  Okta has investigated the usage of the vulnerabilities and will continue to assess the potential impact to our dependencies and third parties.

Okta Access Gateway has been found to use the OpenSSL 3.0 codebase since the release of 2022.10.0.  Customers that have not yet updated to 2022.10.0 should refrain from updating to 2022.10.0 which contains OpenSSL 3.0 until an updated version is available.

Okta Access Gateway customers who have updated to 2022.10.0 will be provided an updated version 2022.11.0 as soon as possible. Currently estimated to be available on 11/04/2022.

Affected product and versions

Product

Impacted Versions

Notes

Okta Access Gateway

2022.10.0

Customers that have not yet updated to 2022.10.0 should not update to 2022.10.0

Resolution

OAG version 2022.11.0 is now available with an updated version of OpenSSL 3.0.7.

References

OpenSSL Security Advisory

Okta’s Response to High OpenSSL Release