The customer wants to know if CASB services are affected by CVE-2022-37454 (https://nvd.nist.gov/vuln/detail/CVE-2022-37454)
Comments from the SED Engineering team:
CVE-2022-37454 should not impact any of our products for two reasons: (a) the issue exists in the "reference-implementation" of SHA-3, called "Keccak XKCP." It is highly unlikely for a reference implementation to be used in practice (OpenSSL, for example, does not use it), and (b) SHA-3 is not as widely adopted even though it has been around for a while since SHA-2 is adequate for all practical purposes. Therefore, the vulnerability should not impact the CloudSOC CASB for the above reasons. The respective security leads will continue to analyze and monitor.