OpenSSL Vulnerability: What You Need to Know
On November 1, 2022, The OpenSSL Foundation released OpenSSL version 3.0.7. This release is a security-fix and addresses two “High” severity vulnerabilities, https://www.openssl.org/news/vulnerabilities.html. Advanced notice was shared by the OpenSSL Foundation last week, alerting the industry of the vulnerability and upcoming patch.
At Progress, security is a top priority. Upon notification, we conducted a thorough review of the Progress product portfolio, and our internal diligence indicates that our products are not using the impacted version of OpenSSL as shipped and/or deployed. Including the following products:
- Kemp LoadMaster
We do, however, recommend that customers conduct their own due diligence with respect to any third-party components that may be utilized in their environments and take the appropriate actions recommended by those third parties.
We will continue to closely monitor the OpenSSL vulnerability and provide updates on the Progress Security Center as necessary. If you have additional questions regarding this message, you may contact email@example.com and we will quickly address those questions or concerns.
For more information regarding our security practices and privacy posture, please visit our Security Center and Privacy Center.
The OpenSSL Project announced two vulnerabilities found in OpenSSL 3.0-3.0. 6 (first released in September 2021). CVE-2022-3786 and CVE-2022-3602 both relate to X. 509 email address buffer overflows and require users to upgrade to OpenSSL 3.0.