Like the majority of the information security community, the Particle Security team is currently awaiting full details on the OpenSSL version 3.0+ vulnerability expected to be released shortly. Once full details are out, we’ll be able to provide more information on our response to this particular issue.
Based on what is known so far, we do not anticipate significant exposure to the issue. OpenSSL is not used by Particle Device OS, so there will be no urgent patch for customers to apply to devices. Any patching will have to occur on the Particle side and based on the versions of OpenSSL that are expected to be vulnerable to the issue, we do not anticipate exposure on key services involved in device connectivity to the Particle Device Cloud.
As details emerge, we’ll update this thread with our current status.
Update 10:15 PST 11/1/22:
The issues in question have now been assigned the CVE’s CVE-2022-3602 and CVE-2022-3786. The severity of both issues has been downgraded from Critical to High, and additionally, the conditions required for successful exploitation mean that it is unlikely. Given this, Particle will be applying the patch internally in accordance with our standard patching policy and timeframes. No additional customer action is required, and we do not anticipate providing any further updates to this thread.
Until next time!
Head of Security, Particle