GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » OpenSSL fixes two high severity vulnerabilities (Is Kerio Control/Connect affected?)
OpenSSL fixes two high severity vulnerabilities [message #153045] Wed, 02 November 2022 13:14 Go to next message
tverweij is currently offline  tverweij
Messages: 54
Registered: March 2010
Location: Curacao
OpenSSL fixes two high severity vulnerabilities (CVE-2022-3602 and CVE-2022-3786)
See: https://www.openssl.org/blog/blog/2022/11/01/email-address-o verflows

Question:
Are Kerio Control and Kerio Connect affected by these bugs?
If so - when will a fix be available?
Re: OpenSSL fixes two high severity vulnerabilities [message #153082 is a reply to message #153045] Thu, 10 November 2022 12:15 Go to previous messageGo to next message
apveenstra is currently offline  apveenstra
Messages: 1
Registered: November 2022
Any news on this topic?

I'm curious too if Kerio Connect is vulnerable for this issue.
I also can't find what version of OpenSSL is used by Kerio Connect or Kerio Control. It is not mentioned in the release notes...

Kind regards,
Alexander
Re: OpenSSL fixes two high severity vulnerabilities [message #153105 is a reply to message #153082] Sun, 13 November 2022 05:35 Go to previous messageGo to next message
Nick.Geary is currently offline  Nick.Geary
Messages: 73
Registered: January 2021
I've looked into the matter and these vulnerabilities impact all versions of OpenSSL between 3.0.0 - 3.0.6.

From what I've found, Kerio Control is running the ongoing development OpenSSL 1.1.1 branch which would not be impacted by the vulnerability.

Kerio Control release notes, lists the most recent mention of OpenSSL was upgrading with the release of Kerio Control 9.3.6.1 where "The OpenSSL library is upgraded from 1.0.2j to 1.1.1d."

For Kerio Connect, the most recent Engineering ticket was tracking the upgrade of OpenSSL to version OpenSSL 1.1.1o which is also not impacted.

In any case, I will engage with our Engineering Team for further confirmation.




Nick Geary
GFI Software

[Updated on: Thu, 17 November 2022 16:14]

Report message to a moderator

Re: OpenSSL fixes two high severity vulnerabilities [message #153122 is a reply to message #153105] Thu, 17 November 2022 02:20 Go to previous message
Nick.Geary is currently offline  Nick.Geary
Messages: 73
Registered: January 2021
I'd like to provide an update and additional confirmation as I mentioned. Our Development Team determined Kerio products are not impacted by the above mentioned CVE's.

Nick Geary
GFI Software

[Updated on: Thu, 17 November 2022 16:15]

Report message to a moderator

Previous Topic: Optimal hardware for a stable Kerio Control instance?
Goto Forum:
  


Current Time: Tue Nov 29 05:15:27 CET 2022

Total time taken to generate the page: 0.02534 seconds