Impact of OpenSSL CVE-2022-3602 on Snowplow Micro

Snowplow Micro

The OpenSSL project team announced the release of OpenSSL version 3.0.7, which was made available on Tuesday, November 1st 2022. The update is a security fix for a high vulnerability in OpenSSL 3.0.x. The vulnerability is reported to affect version 3.0.x and does not impact OpenSSL 1.1.1 or LibreSSL.

Snowplow Micro is built to enable users to run automated test suites to ensure that new releases of their websites, mobile apps and server-side applications do not break the tracking set-up and Snowplow data collection.
Snowplow Micro is a very small version of a full Snowplow data collection pipeline: small enough that it can be launched by a test suite. Events can be recorded into Snowplow Micro just as they can a full Snowplow pipeline.
Snowplow Micro docker images are based on eclipse-temurin:11 / Ubuntu, which was affected by the OpenSSL vulnerability.

The OpenSSL vulnerability could allow a denial of service (DoS) attack on the system or a remote code execution should this be exploited.

A fix has been introduced to the underlying Eclipse-Temurin / Ubuntu version to ensure that this vulnerability is successfully patched.
Micro users can get the patched version from Docker Hub by pulling the latest image: snowplow/snowplow-micro:1.3.4