The crypto between CPC and server uses jsafe from verisign which is a proprietary implementation and not related to openSSL.
While none of our web servers provide certificates or enable SSL out of the box, we do ship with the tcnative dll from tomcat. The version shipped with the 14.2 StarTeam Web Server is affected so we will ship a Hot Fix in the next week or so.
Customers would only be affected with the release build if they enabled SSL manually and updated the tomcat server.xml file to use the APR libraries.
If you feel you are affected by this please contact technical support and we will expedite this new patch to you.