Overview

Two vulnerabilities have been raised for OpenSSL Version 3.0.0-3.0.6, fixed in 3.0.7; OpenSSL is a general-purpose cryptography library that is either present by default or installed on the underlying operating system that an Objective solution is hosted, or linked within an application to provide cryptographic functionality. The vulnerabilities provide a mechanism to crash an application but are considered unlikely to allow a Remote Code Execution (RCE). More details on the issue are available through CVE-2022-3602 and CVE-2022-3786.

Please return to this blog post for updates from the Objective Team.

On-Premise Customers - Are my Objective solutions affected?

Objective desktop applications are not known to be affected by either vulnerability.

Objective recommends that customers with on-premise solutions review the OpenSSL Advisory and the library version on the operating systems maintained within the environment.

Hosted Objective Products and Customers - Are my Objective solutions affected?

Since the issue was initially identified, the Objective Product Development Teams have been actively investigating the impact of the vulnerability across the entire range of Objective solutions. Each product has been updated with a status, denoting the current state of the investigation and the next steps to be taken.

The following table will be updated as the status of each investigation is updated:

• Not Affected: Vulnerability does not affect this product
• Mitigated: Security configuration put in place whilst awaiting Patch
• Mitigation Available: A Security configuration is available to be applied
• Patch Pending: Investigation complete. Mitigation in progress
• Patch Applied: Patch has been applied by the Objective Team
• Patch Available: Patch available for customers to install. Contact Objective Support for details

Content Solutions

RegTech

Keystone

Planning and Building