Dali95325 (Customer) asked a question.
OpenSSL 1.1.1 < 1.1.1t Multiple Vulnerabilities
Hi,
We are currently using version 8.7SP1.P1.HF1.
This version appears to run OpenSSL version 1.1.1d.
Our security scanner detects several vulnerabilities related to OpenSSL e.g.: OpenSSL 1.1.1 < 1.1.1t Multiple Vulnerabilities. The scanner marks them as critical.
Do you have an explanation for these vulnerabilities, maybe they are false positives and not related to RSA AM?
Is the RSA AM 8.7SP2.P1 version free from these vulnerabilities? Which version of OpenSSL is in the 8.7SP2.P1 version?
Regards,
Dali
I recently went to 8.7SP2.P1, and it is still using OpenSSL 1.1.1d unfortunately. RSA needs to go to OpenSSL 1.1.1x to resolve the findings. Not only would it take care of the two criticals, it looks it would take care of two highs, and ten mediums. I was using a plugin dated from a few weeks ago that identifies these vulnerabilities.
RSA, as Dali asked, I also ask is this a false-positive, or is there a mitigation, or better yet, when does RSA plan to resolve the vulnerability? I may need this information for a POAM.
@DanielRobinson, If you re still seeing vulnerabilities in your scans after upgrading your serves to Authentication Manager 8.7 SP2 patch 1, please contact technical support and open a case. That will give us an opportunity to review your logs and provide guidance.
@EricaChalfin: I opened a case. Thanks for replying.