Differences

This shows you the differences between two versions of the page.

--- general:openssl3 [2022/11/01 18:36] – emr
+++ general:openssl3 [2022/11/02 12:36] – anh
@@ Line 1: / Line 1: @@
-====== Stages and OpenSSL 3.x Vulnerability CVE-2022-3358 ======
+====== Stages and OpenSSL 3.x Vulnerabilities CVE-2022-3602, CVE-2022-3786 ======
 The Stages managed services *.stages.digital and *.stagesasaservice.com are not impacted.
-On premise Stages installations are not impacted, unless all of the following conditions apply:
+On premise Stages installations are not impacted, unless the following conditions apply:
-OpenSSL 3.0.0 - 3.0.5 is installed on your operating system. You can check by executing "openssl version" on the command line.
+  * OpenSSL 3.0.0 - 3.0.6 is installed on your operating system. You can check by executing "openssl version" on the command line.
+  * OpenSSL usage is explicitly enabled by configuring an SSL Connector and removing the comments around the following configuration line in …/conf/server.xml. The default configuration uses the Java SSL implementation, which is not vulnerable.
-OpenSSL usage is explicitly enabled by removing the comments around
+<code>
+<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
-<!– <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> –>
+</code>
-in …/conf/server.xml. The default configuration uses the Java SSL implementation, which is not vulnerable.
+If you are using a reverse proxy in front of Stages (e.g. Apache Server), please also check whether it is configured with one of the affected OpenSSL versions (3.0.0-3.0.6) and if this is the case, install the newest version.