OpenSSL has announced two vulnerabilities, CVE-2022-3786 and CVE-2022-3602. Lucidworks has analyzed both CVEs and determined that none of its products are vulnerable to either CVE, as indicated below.
Response Matrix
| Product | Version | Vulnerable to CVE? | Mitigation | |
| CVE-2022-3786 | CVE-2022-3602 | |||
| Solr | All | No | No | N/A |
| Fusion | 5.x | No | No | N/A |
| Fusion | 4.x and lower | No | No | N/A |
| Managed Fusion | All | No | No | N/A |
| Connected Search | All | No | No | N/A |
| Lucidworks Search | All | No | No | N/A |
| Attivio | All | No | No | N/A |
| Attivio SearchUI | All | No | No | N/A |
| App Studio | All | No | No | N/A |
OpenSSL Information
OpenSSL is a commonly used open-source implementation of the SSL and TLS protocols. The two vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) impact OpenSSL versions 3.0.0 to 3.0.6, but are fixed in 3.0.7. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected. See this announcement for details.
Comments
0 comments
Article is closed for comments.