Linkerd is a foundational part of the software security of organizations around the world. Buoyant and the Linkerd maintainers remain committed to the security of our customers and adopters. Every choice we've made in the Linkerd project, from the use of Rust over C++, to the introduction of zero-config, on-by-default mutual TLS, has been made to enhance the security of our customers and adopters.
Earlier this week OpenSSL released a security advisory detailing two high-severity vulnerabilities in certain versions of OpenSSL (versions 3.0.0 to 3.0.6). After careful investigation, the Buoyant security team has determined that the latest Linkerd releases (2.12, 2.12.1, and 2.12.2) are not vulnerable to the noted exploits, and that no action is required by users of the latest Linkerd releases to mitigate these vulnerabilities in Linkerd.
Details: The Linkerd control plane in 2.12.x only uses OpenSSL in one location: the control plane policy component. This component uses OpenSSL version 1.1.1, which is not affected by these vulnerabilities.
For customers of Buoyant's managed Linkerd service, Buoyant Cloud, the Buoyant security team has additionally determined that the Buoyant Cloud agent is not vulnerable to the noted exploits and that no action is required by Buoyant Cloud users to mitigate these vulnerabilities in Buoyant Cloud. Further details have been communicated to Buoyant Cloud customers.
As always, we are happy to address any questions or concerns. Please reach out to us through the open source community forums or (for customers) through your Buoyant technical point of contact.