OpenSSL Vulnerability Assessment for Endpoint Protection Manager
search cancel

OpenSSL Vulnerability Assessment for Endpoint Protection Manager

book

Article ID: 370515

calendar_today

Updated On: 02-26-2025

Products

Endpoint Protection

Issue/Introduction

Is Symantec Endpoint Protection Manager (SEPM) affected by the following OpenSSL Vulnerabilities:

  • CVE-2023-5363 Vulnerability
  • CVE-2023-4807 Denial of Score Vulnerability
  • CVE-2023-3817 Denial of Service Vulnerability
  • CVE-2023-2975 Authentication Bypass Vulnerability
  • CVE-2023-6129 Out of Bounds Write Vulnerability

Environment

Symantec Endpoint protection manager 14.3.x

Resolution

The Symantec Endpoint Protection Manager is NOT affected by the below CVEs:

CVE Assessment Mitigation Notes (internal)
CVE-2023-5363 Vulnerability Not vulnerable   Issue does not affect FIPS while 3.0.9 is used by FIPS only
CVE-2023-4807 Denial of Score Vulnerability Not vulnerable None No impact since we are using the x86 version of OpenSSL.
CVE-2023-3817 Denial of Service Vulnerability Not vulnerable   DH_check, DH_check_ex() or EVP_PKEY_param_check are not used by SEPM and its components
CVE-2023-2975 Authentication Bypass Vulnerability Not vulnerable   SEPM apache does not use that specific cipher
CVE-2023-6129 Out of Bounds Write Vulnerability Not vulnerable   OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to
this issue. The FIPS provider is not affected because the POLY1305 MAC
algorithm is not FIPS approved and the FIPS provider does not implement it.
https://www.openssl.org/news/secadv/20240109.txt