On this page, we provide the latest update of the potential impact of the recently announced OpenSSL vulnerabilities on Google Cloud products and services. Investigations are ongoing as this is a developing event. We will continue to assess potential impact as we learn more, and we will update this post with details on any impacted Google Cloud products and services.
Google Cloud is actively tracking the recently published security vulnerabilities in the OpenSSL toolkit (CVE-2022-3786 and CVE-2022-3602). The vulnerabilities only impact OpenSSL versions 3.0 and above. We encourage customers using those versions to upgrade to version 3.0.7 as soon as possible.
As of this publication, we’ve seen no evidence of exploitation activity. Google primarily uses BoringSSL, which is not affected by these vulnerabilities because it is based off of a previous version of OpenSSL.
Background: On November 1, the OpenSSL project team released OpenSSL version 3.0.7 to fix two vulnerabilities in OpenSSL 3.0.x. OpenSSL initially suggested that the pending release would resolve a critical vulnerability. The version 3.0.7 release, however, assigned a high severity to both vulnerabilities. This assessment was based on further technical review and alignment with OpenSSL’s security policies.
We’ll share more information with customers as it becomes available and update this page with the results of our investigation and any guidance if appropriate.
