Problem

Is API Gateway vulnerable to OpenSSL CVE-2022-3358?

Resolution

No, we are not vulnerable. CVE-2022-3358 is an OpenSSL CVE affecting versions 3.0.0 - 3.0.5, inclusive. While those OpenSSL versions are used in the 7.7 May22 and Aug22 releases, this vulnerability does not apply to us. The vulnerability is described in the CVE as being triggered by passing the value NID_undef to the OpenSSL function EVP_CIPHER_meth_new(), which causes OpenSSL to wrongly select the NULL cipher from the default provider, resulting in unencrypted output. We do not make any calls to EVP_CIPHER_meth_new(), nor do we implement custom ciphers, so we cannot accidentally select the NULL cipher in this manner.