October 28, 2022
RE: CCVE-2022-3358 OpenSSL vulnerability and implications for INSIGHT DLP Appliances
Note: Unless new information is discovered, the INSIGHT Appliance team will no longer be updating this article.
Dear INSIGHT Appliance Customer,
As you may be aware, on October 11th, 2022, OpenSSL.org released this Security Advisory ( CVE-2022-3358) that discusses the issue that was identified with OpenSSL using a custom cipher with NID_undef. This may lead to a NULL encryption.
CVE-2022-3358 identifies a vulnerability in OpenSSL 3.0; applications are only effected by this if they call EVP_CIPHER_meth_new() using NID_undef and, subsequently, use it in a call to an encryption/decryption initialization functions. Applications that only use SSL/TLS, and users with OpenSSL 1.1.1 and 1.0.2, are not impacted by this issue.
Note: Users with OpenSSL 3.0 should upgrade to OpenSSL 3.0.6.
Broadcom released the Symantec Security Advisory for OpsenSSL-CVE-2022-3786 article after their investigation into the issue. The most important thing to note is that Symantec DLP is not affected by the vulnerability.
Additionally, the INSIGHT Development and Security teams have completed an investigation of this vulnerability and its potential impact on INSIGHT Appliances, Symantec Data Loss Prevention (DLP), and the Oracle Database. As a result of this investigation, the INSIGHT Team can confirm that all INSIGHT Appliances, Symantec DLP, and the Oracle Database do not use the affected version of the OpenSSL package. To rephrase, INSIGHT Appliances are not affected by the vulnerability discovered with OpenSSL as all Appliances ship with OpenSSL 1.0.x and not the version affected.
To check the version of OpenSSL your device is using, you can run this command (Code: rpm -qa | grep openssl) via SSH as a protected user on any Appliance host, or Enforce or Detection server.
The articles below can be used for additional reference information: