OpenSSL 3.0.x high severity vulnerabilities CVE-2022-3786 and CVE-2022-3602
Potentially Impacted Products: IdentityNow (IDN), IdentityAI (IAI), and IDN Virtual Appliance (VA)
SailPoint has reviewed the currently available information on the recently announced OpenSSL vulnerabilities (CVE-2022-3786 and CVE-2022-3602) and determined that some SailPoint products use versions of OpenSSL that are impacted by these vulnerabilities.
Exploiting these 2 vulnerabilities requires that applications continue certificate validation despite failure to construct a path to a trusted issuer or for the Certificate Authority (CA) to have signed a malicious certificate, neither of which is applicable to IDN, IAI, or the VA, unless customers configure their client authentication to continue certificate validation despite failure to construct a path to a trusted issuer. Out of an abundance of caution, all SailPoint products that use a vulnerable version of OpenSSL 3.0.x are targeted to be upgraded to use OpenSSL 3.0.7 within the SailPoint-established SLAs for high severity vulnerabilities.
Other SailPoint products such as IdentityIQ, Cloud Access Manager, File Access Manager, Access Risk Management, and SaaS Management are not impacted.
If you have questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager. Please subscribe to the product-specific blogs on Compass for future security and other important announcements related to the individual products