As reported by BeyondTrust on Friday, October 28, 2022, the OpenSSL Organization announced a high security vulnerability in versions 3.0.x and above. According to the OpenSSL project team, an issue of high severity affects common configurations and is also likely exploitable. OpenSSL indicates the two CVEs involved are CVE-2022-3602 and CVE-2022-3786.
BeyondTrust has evaluated all our solutions to determine the impact of the vulnerable component. From this analysis, a patch will be applied to affected BeyondTrust products using the newly released version 3.0.7, which became available on Tuesday November 1, 2022. This patch addresses the vulnerability and will be applied to the following BeyondTrust products:
- Password Safe and Password Safe Cloud, to be available during November 2022
- Privilege Management for Windows, to be available during November 2022
BeyondTrust products unaffected by the OpenSSL vulnerability:
- DevOps Secrets Safe
- Privileged Access Discovery Application
- Privilege Management for Mac, Unix and Linux
- Privilege Management Cloud
- Active Directory Bridge
- Remote Support
- Privileged Remote Access
- Cloud Privilege Broker
BeyondTrust will continue to monitor this situation closely and will update this blog post as new information becomes available. Customers may access the BeyondTrust Knowledge Base portal to learn more.
If you have additional questions, please reach out to BeyondTrust Technical Support.