Executive summary
OpenSSL has announced two vulnerabilities, CVE-2022-3786 and CVE-2022-3602. No Lucidworks products are vulnerable to either CVE.
Response matrix
| Product | Version | Vulnerable to CVE? | Mitigation | |
| CVE-2022-3786 | CVE-2022-3602 | |||
| Solr | All | No | No | N/A |
| Fusion | 5.x | No | No | N/A |
| Fusion | 4.x and lower | No | No | N/A |
| Managed Fusion | All | No | No | N/A |
| Connected Search | All | No | No | N/A |
| Lucidworks Search | All | No | No | N/A |
| Attivio | All | No | No | N/A |
| Attivio SearchUI | All | No | No | N/A |
| App Studio | All | No | No | N/A |
Technical summary
OpenSSL is a commonly used open-source implementation of the SSL and TLS protocols. The two vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) impact OpenSSL versions 3.0.0 to 3.0.6, but are fixed in 3.0.7. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected. See this announcement for details.
No mitigation steps required
No mitigation steps are needed for any Lucidworks product.