Advent of Code is back! Unwrap daily challenges to sharpen your Alteryx skills and earn badges along the way! Learn more now.

Analytics

News, events, thought leadership and more.
gaustin
Alteryx
Alteryx

On Tuesday, November 1st, 2022, Alteryx became aware of two high severity vulnerabilities in OpenSSL security framework (CVE-2022-3602 & CVE-2022-3786), also known as “Spooky SSL.” These vulnerabilities were announced as a “Critical” severity rating but downgraded to “High” upon further analysis by OpenSSL. These CVEs are related to buffer overruns in the security certificate verification code, and more information can be found on the OpenSSL site

 

Patched Products

 

Release 2022.1.1.42590 Patch 3 has been released for:

  • Server 22.1+  
  • Designer 22.1+

 

Potentially Affected Products 

 

These products and versions include OpenSSL 3.0 and patches are in development:

  • Server FIPS 22.1+
  • Designer FIPS 22.1+

 

Products Confirmed as Not Impacted 

 

  • Designer builds up to and including version 21.4
  • Server builds up to and including version 21.4
  • Trifacta (on premises) AKA Designer Cloud (self-managed)
  • Google Cloud Data Prep
  • Designer Cloud Powered by Trifacta
  • Machine Learning
  • Intelligence Suite
  • Connect 
  • Alteryx Analytics Hub
  • Auto Insights
  • Promote
  • Metrics Store

 

Third Party Software

 

Third-party software may be impacted. If you downloaded tools such as database drivers or other management tools, please refer to those vendors for support and updates.

Comments
RWvanLeeuwen
11 - Bolide

I just learnt that the patches were silently released so I hope the subscription feature can be extended to include modifications to the message that the thread started with.

Paul_Holden
9 - Comet

Hi,

 

Is it possible for you to confirm exactly which version of 3.0 has been used for Alteryx v22.1 patch?

 

Is it possible to confirm the version of OpenSSL used in v21.4 and earlier.

 

Following the upgrade we are experiencing issues with SSL connections being refused by a system that we are told is fully up to date i.e. should have matching cypher suites etc. so any additional information on what has changed would be very useful.

 

Regards,

Paul