Outage in Aptible

High vulnerabilities in OpenSSL (CVE-2022-3602 & CVE-2022-3786)

Resolved Minor
October 31, 2022 - Started over 1 year ago - Lasted 3 days
Official incident page

Need to monitor Aptible outages?
Stay on top of outages with IsDown. Monitor the official status pages of all your vendors, SaaS, and tools, including Aptible, and never miss an outage again.
Start Free Trial

Outage Details

OpenSSL has announced a critical vulnerability [0] for which a patch will be released tomorrow, November 1, 2022 between 13:00 and 17:00 UTC. The nature of the vulnerability has not been disclosed, but based on how it's being handled, Aptible expects it could be a serious vulnerability affecting data confidentiality for those running affected OpenSSL versions (>= 3.0.0, < 3.0.7). Aptible has reviewed all infrastructure components that we manage and have confirmed that all are unaffected by this vulnerability. These components include: - Our Managed TLS endpoints - The TLS endpoints for our REST API services (Auth and Deploy APIs) - All versions of our managed databases - Our log forwarding infrastructure - Our metrics collection infrastructure - Our SSH and Git server infrastructure Still, every Aptible customer should check the OpenSSL versions used in their apps to confirm they're unaffected. To do so, run: $ aptible ssh --app $APP_HANDLE openssl version If the version is >= 3.0.0, you should plan to upgrade your apps' Docker image(s) tomorrow as soon as OpenSSL 3.0.7 is released. We will continue to update this incident page as more information is revealed about the vulnerability. If the vulnerability is only exploitable for *server-side* OpenSSL functionality, the impact to Aptible customers would be significantly reduced. Only those customers who use plain TCP endpoints [1] with their own OpenSSL for TLS termination would be affected in this scenario. [0] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html [1] https://deploy-docs.aptible.com/docs/tcp-endpoints
Latest Updates ( sorted recent to last )
MONITORING over 1 year ago - at 11/01/2022 05:21PM

OpenSSL's pre-announcements of CVE-2022-3602 described this issue as CRITICAL but has since been downgraded to HIGH [0]. Aptible remains unaffected by this vulnerability. We still recommend every Aptible customer check the OpenSSL versions used in their apps to confirm they're unaffected. Please follow the aforementioned steps to check the version and update OpenSSL accordingly.

Additional Context & Guidance from OpenSSL: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

[0] https://www.openssl.org/news/secadv/20221101.txt

MONITORING over 1 year ago - at 10/31/2022 08:21PM

OpenSSL has announced a critical vulnerability [0] for which a patch will be released tomorrow, November 1, 2022 between 13:00 and 17:00 UTC. The nature of the vulnerability has not been disclosed, but based on how it's being handled, Aptible expects it could be a serious vulnerability affecting data confidentiality for those running affected OpenSSL versions (>= 3.0.0, < 3.0.7).

Aptible has reviewed all infrastructure components that we manage and have confirmed that all are unaffected by this vulnerability. These components include:

- Our Managed TLS endpoints
- The TLS endpoints for our REST API services (Auth and Deploy APIs)
- All versions of our managed databases
- Our log forwarding infrastructure
- Our metrics collection infrastructure
- Our SSH and Git server infrastructure

Still, every Aptible customer should check the OpenSSL versions used in their apps to confirm they're unaffected. To do so, run:

$ aptible ssh --app $APP_HANDLE openssl version

If the version is >= 3.0.0, you should plan to upgrade your apps' Docker image(s) tomorrow as soon as OpenSSL 3.0.7 is released.

We will continue to update this incident page as more information is revealed about the vulnerability. If the vulnerability is only exploitable for *server-side* OpenSSL functionality, the impact to Aptible customers would be significantly reduced. Only those customers who use plain TCP endpoints [1] with their own OpenSSL for TLS termination would be affected in this scenario.

[0] https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
[1] https://deploy-docs.aptible.com/docs/tcp-endpoints

Latest Aptible outages

Missing Dashboard Metrics for Small Number of Apps and Databases - 3 months ago
Operations Blocked for Shared Stack shared-eu-central-1 - 3 months ago
EC2 Host Failure - 4 months ago
Aptible API Degraded Performance - 4 months ago
Quay.io Registry Issues - 5 months ago

Start monitoring Aptible and all your cloud vendors in minutes

With IsDown, you can monitor all your critical services' official status pages from one centralized dashboard and receive instant alerts the moment an outage is detected. Say goodbye to constantly checking multiple sites for updates and stay ahead of outages with IsDown.

Start free trial

No credit card required · Cancel anytime · 3153 services available

Integrations with Slack Microsoft Teams Google Chat Datadog PagerDuty Zapier Discord Webhook

Setup in 5 minutes or less

How much time you'll save your team, by having the outages information close to them?

14-day free trial · No credit card required · Cancel anytime

Start today for FREE