Introducing the new Render CLI and refreshed Render Dashboard.

Learn more
Engineering
November 01, 2022

OpenSSL Patch

Ed Ropple

Security Announcement in Response to OpenSSL Patches

Render is aware of the patches released today for OpenSSL 3.0 (CVE-2022-3602 and CVE-2022-3786). Render services are not affected by these CVEs. This weekend we found that because this only impacts OpenSSL 3.0.X versions, our core services were not affected. Today the OpenSSL team released their update with full details. In their update, they explained that they have downgraded the 1 ‘critical’ vulnerability to ‘high’ based on the limited ability, in practice, for exploitability. The primary method of exploitation would be for a vulnerable TLS client to connect to a malicious TLS server. Additionally, at least some versions of Linux do not contain the RCE at all. We will continue in our commitment to proper patching and we encourage everyone to do so as well. In this case, we are not affected. For more information about these patches, refer to BleepingComputer's article: "OpenSSL fixes two high severity vulnerabilities, what you need to know"