On November 1, 2022, OpenSSL published a security advisory detailing high severity vulnerabilities in version 3.x of their library, also known as CVE-2022-3602 and CVE-2022-3786. Atlassian kicked off the incident management process to assess the impact of this vulnerability across the Atlassian products, platform and ecosystem.
Our products link against the system library by default. If there are multiple versions of OpenSSL on the system, they can be modified, for example, /etc/ld.so.conf to ensure the non-vulnerable version’s path is listed before the vulnerable version. We recommend checking the docker image used for our products for vulnerable versions of the OpenSSL library. Please feel free to reach out on Atlassian’s response thread for other product related concerns.