Sandfly 4.2.3 - OpenSSL CVE-2022-3602 and CVE-2022-3786 Update

Sandfly 4.2.3 has been released and contains fixes for the OpenSSL CVEs announced on November 1, 2022: CVE-2022-3602 and CVE-2022-3786.

Sandfly's core server and API is written in Go and the TLS libraries are not affected by this bug. However, out of an abundance of caution and to assist customers with their own compliance needs, we are releasing updated Docker images that include the fixed version of OpenSSL. The v4.2.3 release of Sandfly is functionally equivalent to the v4.2.2 release.

Specifically, the sandfly-server and sandfly-node images, which are based on Ubuntu 22.04 LTS, include the libssl3 3.0.2-0ubuntu1.7 package which includes the fix. The sandfly-rabbit image is based on Ubuntu 20.04 LTS, which does not include a vulnerable version of OpenSSL.

Customers wishing to upgrade can follow the instructions here:

    Upgrading Sandfly

If you have any questions, please reach out to us.