Remediation for Bad OpenSSL Versions
This information is intended for developers with app(s) that utilize a defective version of OpenSSL library directly or indirectly.
What’s happening
One or more of your apps contain a defective version of OpenSSL library, which can cause your app to crash, thus harming its usability. Even if your app doesn’t depend on the OpenSSL artifact directly, one of the 3rd-party libraries/SDKs in your app’s dependencies may do so.
Fixing this issue is highly recommended but not mandatory. The publication status of your app will be unaffected by the presence of this issue.
Additional details
The ARMv8.3 PAC functionality enables hardware-assisted control flow integrity (CFI) by authenticating pointers (specifically, the return addresses) at runtime. Older versions of OpenSSL use this functionality incorrectly, causing crashes at runtime. This issue was resolved in OpenSSL 1.1.1i. Versions between 1.1.1b and 1.1.1h are affected.