OpenSSL has announced two vulnerabilities, CVE-2022-3786 and CVE-2022-3602. Lucidworks has analyzed both CVEs and determined that none of its products are vulnerable to either CVE, as indicated below.
|Product||Version||Vulnerable to CVE?||Mitigation|
|Fusion||4.x and lower||No||No||N/A|
OpenSSL is a commonly used open-source implementation of the SSL and TLS protocols. The two vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) impact OpenSSL versions 3.0.0 to 3.0.6, but are fixed in 3.0.7. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected. See this announcement for details.