[ CVE-2022-0778 and Jitsi components ]

Hi there!)
Just to be sure if we are safe. Can someone clarify if Jitsi is vulnerable to the latest OpenSSL issue?
I haven’t found the related information on the forum.

Thank you in advance

Nope.

To expand on what @saghul said: The Jitsi server packages proper only use OpenSSL to accelerate symmetric cryptography (AES and HMAC-SHA1) for SRTP, so this vulnerability isn’t relevant. We use BouncyCastle for DTLS, and the JVM’s built-in TLS for HTTP and WebSockets, which are different implementations.

That said, the default jitsi-meet Debian installation uses nginx, which uses OpenSSL, so you should make sure to install all the latest security patches to your Debian/Ubuntu installations.

2 Likes

Thanks for elaborating!

Thank you so much for the explanation!)