search cancel

Is DLP affected by CVE-2022-37454?

book

Article ID: 253601

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Are DLP services affected by CVE-2022-37454?

Environment

Release : 15.8+

Resolution

DLP doesn't use SHA-3, nor does it use the "Keccak XKCP" implementation that is vulnerable. So DLP is not affected by this vulnerability. 

Additional Information:

CVE-2022-37454 should not impact any of our products for two reasons:

       (a) the issue exists in the "reference-implementation" of SHA-3, called "Keccak XKCP." It is highly unlikely for a reference implementation to be used in practice (OpenSSL, for example, does not use it), and

       (b) SHA-3 is not as widely adopted even though it has been around for a while since SHA-2 is adequate for all practical purposes.