Is xMatters impacted by the recently announced OpenSSL vulnerability?
The Support and Engineering teams conducted an investigation of this vulnerability, and have confirmed that the issue outlined in the notice does not affect xMatters.
This vulnerability does not impact the xMatters service.
On November 1, 2022, OpenSSL disclosed CVE-2022-3602 and CVE-2022-3786, two vulnerabilities where triggering a buffer overrun during certificate verification could potentially allow an attacker to cause a crash or execute code.
Since the vulnerability was identified, the xMatters Security and Engineering teams have been extensively reviewing and testing all OpenSSL implementations around xMatters. The teams have confirmed that, while xMatters does use OpenSSL, the service is not susceptible to this issue due to the architecture and configuration of the SaaS platform which keeps all public-facing or accessible SSL behind and protected by Google Load Balancers.
To ensure complete compliance, the Engineering teams have double-checked all relevant tools and applications to ensure there are no flags or alerts.
Security at xMatters
We have a regular cadence of security scans looking for vulnerabilities and take action whenever possible and prudent to harden our software and services. Because these scans are constant and ongoing, the teams are able to correct for certain issues well before they become public.
In the interests of security, we will not be releasing a list of the versions and components currently in use. We can, however, confirm that the specific conditions required to perform a successful attack using this exploit are not and were not exposed in xMatters at any time.
The teams are continuing to test and monitor the system, and we will update this article as necessary.