Differences

This shows you the differences between two versions of the page.

--- general:openssl3 [2022/11/01 18:38] – emr
+++ general:openssl3 [2024/02/15 00:00] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Stages and OpenSSL 3.x Vulnerability CVE-2022-3358 ======
+====== Stages and OpenSSL 3.x Vulnerabilities CVE-2022-3602, CVE-2022-3786 ======
 The Stages managed services *.stages.digital and *.stagesasaservice.com are not impacted.
-On premise Stages installations are not impacted, unless all of the following conditions apply:
+On premise Stages installations are not impacted, unless the following conditions apply:
-  * OpenSSL 3.0.0 - 3.0.5 is installed on your operating system. You can check by executing "openssl version" on the command line.
+  * OpenSSL 3.0.0 - 3.0.6 is installed on your operating system. You can check by executing "openssl version" on the command line.
-  * OpenSSL usage is explicitly enabled by removing the comments around the following configuration line in …/conf/server.xml. The default configuration uses the Java SSL implementation, which is not vulnerable.
+  * OpenSSL usage is explicitly enabled by configuring an SSL Connector and removing the comments around the following configuration line in …/conf/server.xml. The default configuration uses the Java SSL implementation, which is not vulnerable.
 <code>
-<!– <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> –>
+<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
 </code>
-We will update this statement as more information around the vulnerability becomes available.
+If you are using a reverse proxy in front of Stages (e.g. Apache Server), please also check whether it is configured with one of the affected OpenSSL versions (3.0.0-3.0.6) and if this is the case, install the newest version.