This Q&A was previously posted on the Stack Exchange Network of websites.
This content is licensed under the Creative Commmons Attribution-Sharealike (CC BY-SA) license. As the author of these answers, this archive serves as a canonical location for permalinks, which will outlive Stack Overflow. See all my answers by looking at the Stack Exchange post category.
Is SQL Server affected by OpenSSL 3.0 Vulnerabilities: CVE 2022-3786 and CVE 2022-3602
Question
I am trying to establish whether SQL Server is affected by the recently discovered OpenSSL vulnerabilities. For example, are SQL Servers that are using TLS/Certificates to encrypt connections between client and server affected to? I believe SQL Server uses Open SSL libraries for encryption purposes. Can someone please shed light on this?
asked 2022-11-08 by steve
Answer
No*.
SQL Server doesn’t use OpenSSL on Windows. If you’re using a Linux, keep reading.
It’s important to note that OpenSSL is not SSL. OpenSSL is a specific, popular, open-source SSL implementation.
If you are using 3rd party drivers or extensions or apps, they may use the OpenSSL product, but not SQL Server.
OpenSSL 3.0 and newer are licensed under the Apache License v2, which requires derivative works using OpenSSL include a attribution & copy of that license, which should make it easier to identify work using OpenSSL 3.0.
Also note that OpenSSL 3.0 was released Sep 7, 2021. The recency of the release helps to limit derivative works using the vulnerable versions to released since that date, at the earliest.
*SQL Server on Linux
SQL Server on Linux will use the operating system default version. You can configure SQL Server on Linux to use a specific version of OpenSSL, however.
If you are running SQL Server on Linux, you can mitigate this vulnerability two ways.
- Ensure the OS default is older than 3.0, or fully patched to the latest.
- Configure SQL Server to use a specific version of OpenSSL that is not vulnerable.
answered 2022-11-08 by Andy Mallon