Welcome to Kandji's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.
Trust Center Updates
Kandji's Response to OpenSSLIncidentsCopy link
The Kandji Security team has investigated and continues to monitor the OpenSSL Security Advisory dated: [01 November 2022]. OpenSSL is an open-source library that is the most commonly used in web applications for secure data transfers. Websites often use OpenSSL to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
On Tuesday, November 1st the OpenSSL Team released a security advisory about a newly discovered vulnerability within the openssl library which could affect the security of the operating systems and applications provided by several popular vendors.
The OpenSSL team provided the following overview of the vulnerability:
“An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler, [CVE-2022-3602]” the OpenSSL Project explained in its changelog version 3.0.7. An attacker can exploit CVE-2022-3786 just by creating a malicious email address to “overflow an arbitrary number of bytes containing the
. character (decimal 46) on the stack.”
Based on the statements from the OpenSSL team: To perform the attack, an attacker must either expose a TLS client to a malicious server. Conversely, in a vulnerable TLS server (web server, api endpoint, etc), this can be triggered if the server requests client authentication and a malicious client connects.
The OpenSSL team has not detected any incident of exploiting one of these vulnerabilities in the wild. Due to OpenSSL being so widely used, the potential magnitude of this vulnerability could have major implications for organizations spanning all sizes and industries, hence the urgency to patch and update systems.
As soon as Kandji learned of this vulnerability, we promptly evaluated the Kandji SaaS (Software-As-A-Service) platform, the Kandji Self Service App, and also all supporting systems to determine what might be impacted and methodically set about remediating any exposure.
It has been determined by Kandji Engineering and Security teams that the Kandji product does not utilize the affected versions of OpenSSL. As Kandji does not use the affected versions of OpenSSL , Kandji is not impacted by the openssl vulnerabilities: (CVE-2022-3602 and CVE-2022-3786).
Kandji continues to monitor the situation and does not expect to be impacted by any further developments or discoveries related to the OpenSSL issue.