OpenSSL Vulnerability Assessment for Endpoint Protection Manager
Article ID: 370515
Updated On: 02-26-2025
Products
Endpoint Protection
Issue/Introduction
Is Symantec Endpoint Protection Manager (SEPM) affected by the following OpenSSL Vulnerabilities:
- CVE-2023-5363 Vulnerability
- CVE-2023-4807 Denial of Score Vulnerability
- CVE-2023-3817 Denial of Service Vulnerability
- CVE-2023-2975 Authentication Bypass Vulnerability
- CVE-2023-6129 Out of Bounds Write Vulnerability
Environment
Symantec Endpoint protection manager 14.3.x
Resolution
The Symantec Endpoint Protection Manager is NOT affected by the below CVEs:
| CVE | Assessment | Mitigation | Notes (internal) |
| CVE-2023-5363 Vulnerability | Not vulnerable | Issue does not affect FIPS while 3.0.9 is used by FIPS only | |
| CVE-2023-4807 Denial of Score Vulnerability | Not vulnerable | None | No impact since we are using the x86 version of OpenSSL. |
| CVE-2023-3817 Denial of Service Vulnerability | Not vulnerable | DH_check, DH_check_ex() or EVP_PKEY_param_check are not used by SEPM and its components | |
| CVE-2023-2975 Authentication Bypass Vulnerability | Not vulnerable | SEPM apache does not use that specific cipher | |
| CVE-2023-6129 Out of Bounds Write Vulnerability | Not vulnerable | OpenSSL versions 3.0.0 to 3.0.12, 3.1.0 to 3.1.4 and 3.2.0 are vulnerable to this issue. The FIPS provider is not affected because the POLY1305 MAC algorithm is not FIPS approved and the FIPS provider does not implement it. https://www.openssl.org/news/secadv/20240109.txt |
|
Feedback
Was this article helpful?
Yes
No
Powered by
