Nov 1, 2022   |   Tom Cope

Public Notice for OpenSSL (CVE-2022-3786 + CVE-2022-3602)

Go back

On the 31st October 2022 at 09:00 the Next DLP Security Team was notified about a critical vulnerability affecting OpenSSL versions 3.0 and above (fixed in version 3.0.7) identified as CVE-2022-3786 and CVE-2022-3602.

This vulnerability affects a buffer overflow bug in the certificate verification process, which could result in a crash causing a denial of service on a targeted system or potential remote code execution.

You can find more information about the issue here: OpenSSL Advisory

The Next DLP Product Security Incident Response Team (PSIRT) and Internal Blue Teams have launched an internal investigation into the impact of the Vulnerability across our products, services and internal business tools.

Here at Next DLP we take security very seriously as an ISO 27001 certified company. We have strong internal security controls and processes to ensure the security of customer data even in the event of a vulnerability in third party software. 

Due to previous security vulnerabilities with openssl, we avoid its use within our products and services. The following have been reviewed and confirmed: 

  • Reveal Cloud: Our cloud environments and internal cloud components are not impacted by this vulnerability.
  • Reveal Agent: all versions - NOT Impacted.
    • Openssl is not used within our agent code base.

We are actively monitoring and reviewing our internal systems and will publish a full security advisory to our support portal once these investigations have concluded. 

If you have any further questions please contact the Next DLP Security team: security@nextdlp.com

Last Updated: 2022-11-01T16:47:00

See how Next DLP protects your employees and prevents data loss