Stages and OpenSSL 3.x Vulnerabilities CVE-2022-3602, CVE-2022-3786

The Stages managed services *.stages.digital and *.stagesasaservice.com are not impacted.

On premise Stages installations are not impacted, unless the following conditions apply:

  • OpenSSL 3.0.0 - 3.0.6 is installed on your operating system. You can check by executing “openssl version” on the command line.
  • OpenSSL usage is explicitly enabled by configuring an SSL Connector and removing the comments around the following configuration line in …/conf/server.xml. The default configuration uses the Java SSL implementation, which is not vulnerable.
<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->

If you are using a reverse proxy in front of Stages (e.g. Apache Server), please also check whether it is configured with one of the affected OpenSSL versions (3.0.0-3.0.6) and if this is the case, install the newest version.