Investigation into OpenSSL Version 3.0.0-3.0.6 vulnerability and mitigation actions for Objective products.

Overview

Two vulnerabilities have been raised for OpenSSL Version 3.0.0-3.0.6, fixed in 3.0.7; OpenSSL is a general-purpose cryptography library that is either present by default or installed on the underlying operating system that an Objective solution is hosted, or linked within an application to provide cryptographic functionality. The vulnerabilities provide a mechanism to crash an application but are considered unlikely to allow a Remote Code Execution (RCE). More details on the issue are available through CVE-2022-3602 and CVE-2022-3786.

Please return to this blog post for updates from the Objective Team.


On-Premise Customers - Are my Objective solutions affected?

Objective desktop applications are not known to be affected by either vulnerability.

Objective recommends that customers with on-premise solutions review the OpenSSL Advisory and the library version on the operating systems maintained within the environment.


Hosted Objective Products and Customers - Are my Objective solutions affected?

Since the issue was initially identified, the Objective Product Development Teams have been actively investigating the impact of the vulnerability across the entire range of Objective solutions. Each product has been updated with a status, denoting the current state of the investigation and the next steps to be taken.

The following table will be updated as the status of each investigation is updated:

  • Not Affected: Vulnerability does not affect this product
  • Mitigated: Security configuration put in place whilst awaiting Patch
  • Mitigation Available: A Security configuration is available to be applied
  • Patch Pending: Investigation complete. Mitigation in progress
  • Patch Applied: Patch has been applied by the Objective Team
  • Patch Available: Patch available for customers to install. Contact Objective Support for details



Content Solutions

Product

Status

Objective ECM or ECMaaS

Not Affected

Objective Connect

Not Affected

Objective Connect Link (on-premise)

Not Affected

Objective Connect Link (cloud)

Not Affected

Objective Gov365

Not Affected

Objective Integrate

Not Affected

Objective Redact

Not Affected

Objective 3Sixty (on-premise)

Mitigation/Patch Available (if required)

RegTech

Product

Status

Objective RegWorks

Not Affected

Objective Regworks Mobile

Not Affected

Objective Reach

Not Affected

Keystone

Product

Status

Objective Keystone

Not Affected

Planning and Building

Product

Status

Objective Trapeze

Not Affected

AlphaOne

Not Affected

GoGet

Not Affected

Objective Build

Not Affected