search cancel

VIP OpenSSL critical vulnerability that exists within the v3.0.X branch - CVE-2022-3786 | CVE-2022-3602

book

Article ID: 253383

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

On Tuesday, October 25 a new OpenSSL hot-fix release was announced which will patch a critical vulnerability that exists within the v3.0.X branch. 

OpenSSL 3.0.7 will be released on Tuesday, November 1 and in tandem the details of the vulnerability and its associated CVE will be made public. (More Information: https://securityboulevard.com/2022/10/openssl-critical-vulnerability-should-you-be-spooked/)

Is Symantec VIP product vulnerable?

Environment

Enterprise Gateway 9.9.2 and before

Enterprise Gateway 9.10 

Cause

Third party OpenSSL version 3.x

Resolution

Enterprise Gateway 9.9.2 and below : Enterprise Gateway 9.9.2 and below uses OpenSSL 1.x and is not impacted by this vulnerability.

Enterprise Gateway 9.10:   Enterprise gateway 9.10 uses OpenSSL 3.x and is currently under investigation and further information will be shared in this KB article.

VIP Cloud Components:  VIP Cloud components do not use any version of OpenSSL and therefore not impacted.

The product team is looking into impact and what fixes/patches might be required.  Please return back to this article for updates as more information is received.

Additional Information

Additional information on the CVE:

Broadcom Security Advisory