Background:

A critical vulnerability, CVE-2025-15467, has been identified in OpenSSL with a CVSS score of 9.8. This issue involves a stack buffer overflow that can be triggered when parsing a CMS AuthEnvelopedData message with maliciously crafted AEAD parameters. The potential impact includes Denial of Service (crash) or, critically, remote code execution.

Is DX Operational Observability affected by this vulnerability?

Exploitability

The CVE-2025-15467 vulnerability, an OpenSSL stack buffer overflow occurring during CMS AuthEnvelopedData parsing, is not exploitable within the DXO2 (DX Operational Observability) context. This is because the vulnerability is only triggered when untrusted CMS AuthEnvelopedData (commonly found in secure email formats such as S/MIME) is processed, and DXO2 components do not utilize CMS or S/MIME parsing. Consequently, the vulnerable code path is never executed, based on the initial analysis.

DXO2 components, specifically those related to DXI and APM, contain OpenSSL library versions 3.5.4 and 3.6.0. It is important to note, however, that DXI and APM do not directly utilize these bundled libraries.

Remediation Plan

DXI components using OpenSSL will be upgraded in the upcoming SaaS Push 26.2.1, scheduled for the first week of March 2026.

The ETAs for the APM components will be provided soon, as the development team is currently working on them.