Security Advisory: OpenSSL Vulnerability
Last week, on October 25th, 2022, Prefect became aware of vulnerabilities in OpenSSL and began assessing potential impact to our internal infrastructure and container images that we publish for our open source projects. Prefect reviewed the OpenSSL advisory and the details of the two vulnerabilities (CVE-2022-3786 and CVE-2022-3602), which impact OpenSSL versions 3.0 and above, under certain conditions during certificate validation.
Prefect uses a Google Cloud Load Balancer to process all inbound traffic for both versions of Prefect Cloud, including cryptography, and we continuously monitor Google’s security advisories, including their corresponding OpenSSL advisory. In one instance, we identified a vulnerable version of OpenSSL in a container image provided by an upstream vendor and confirmed that the application does not link to the libraries (libssl or libcrypto), and so is not affected by this issue… Additionally, the service is accessible only to Prefect employees as a result of network-level restrictions. No portion of our infrastructure was affected by this issue, and we hereby reaffirm our commitment to provide our customers with a timely security update if we discover otherwise.
The most recent versions of the container images that Prefect publishes for our open source projects (Prefect 1.0, Prefect Server 1.0, and Prefect 2.0) include an older version of OpenSSL, and we do not believe they are affected.
We will continue to monitor the situation as it develops and update this page accordingly.
Don’t hesitate to contact the Customer Success team or ask us questions in our Prefect Community Slack.