On Oct 25, 2022, The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. The vulnerability is tracked as CVE-2022-3602 and affects deployments of OpenSSL from 3.0.0 to 3.0.6. It has since been reduced from “critical” to “high.” The release of version 3.0.7 went live on Tuesday, November 1, 2022.
There is no current action required of Amplitude customers. Keeping our customers’ data safe is our number one priority, so we’re actively monitoring this issue and taking steps to mitigate it appropriately.
Amplitude services are not impacted by the OpenSSL vulnerability. While Amplitude services are not currently impacted, we have reached out to our relevant third-party vendors to determine their status and impacts. We will continue to monitor in case new vulnerabilities are discovered or the scope changes, and if needed, we are prepared to mitigate appropriately.
As we continue to gain an understanding of this vulnerability, the Amplitude team will continue to monitor the status of the vulnerability. We will keep you informed of any developments by adding onto this blog post.
We’re here to help. If you have additional questions, please reach out to support.amplitude.com.