OpenSSL Vulnerabilities

Our endpoint detection and response solution is identifying a vulnerable version of OpenSSL used in Content Manager, with numerous vulnerabilities.  (\content manager\libcrypto-3.dll), (\content manager\libcrypto-3-x64.dll)

Has anyone had any resolution or information regarding this and/or any plans or timelines for opentext to update the version of OpenSSL they are using?  I haven't had any luck finding anything about this in security bulletins.  

Thanks,

PH

  • 0

    Subscribing for updates.

    Possibly not a coincidence, but overnight, endpoint TVM started flagging various OpenSSL DLLs embedded in Content Manager v23.4 for ourselves as well. The specific vulnerability reference quoted is CVE-2023-0464.

  • 0

    Reported this back in 2022 (case 2440751) for CM 10.0 (which had 3 different versions of OpenSSL 1.x), which they kind of resolved in CM 23.4 with much newer version of OpenSSL 3.0.8 (but still several versions behind the latest). For a full list of vulnerabilities see www.openssl.org/.../vulnerabilities.html

    So in february I reported again that these libraries were outdated in 23.4 (case 2802153) and got response that was not very hopeful to get this resolved:

    Kindly note that it is the Product Manager and Engineering's Team decision to determine which verison of  Open SSL needs to be certified with CM. As we take releases versions to open SSL integrate with main/major releases of CM and please not that we do not integrate with any of our patches.

    So as I understand they don't intend to ever provide updates in patches to this. Asked them if they would want to make a statement about if they were impacted by each of the 14 vulnerabilities or not that were fixed in the newer OpenSSL version at that time, but haven't received an answer to that while the list of vulnerabilities continues to grow...

    Further attempts to get this resolved only resulted in them asking me to monitor the download page and wait for when they feel like bringing out a new version of CM with updated files. Unfortunately OpenText didn't take the opportunity to fix this in patch 1... very disappointing!

    It's good that security scanners are now detecting this issue as it will make more companies aware of the issue and hopefully this can convince OpenText to finally get issues like this fixed.

    Less easy to link to CM as the installer puts the files in the system32 folder, but the MSI also includes the VC++ runtimes for 11.0 (VS 2012) and 12.0 (VS 2013), both of which are also out of support since over a year and 3 weeks ago.

    Curious to see how OpenText is planning to support CM 23.4 for 3 years (with 2 year extension) from a security perspective when clearly they seem to struggle to keep up half a year after it's release...