Numecent has determined the recently discovered OpenSSL 3 vulnerabilities, CVE-2022-3602 and CVE-2022-3786, do not impact Cloudpaging or Cloudpager.
These vulnerabilities apply to OpenSSL versions 3.0.0 to 3.0.6. We can confirm that no Numecent product users are affected based on the following:
- Cloudpaging Server & Enterprise Portal – Cloudpaging Server and Enterprise do not use the OpenSSL libraries and are thus unaffected. However, we strongly recommend that customers who have configured their Tomcat to use JSSE with OpenSSL or Apache Portable Runtime (APR) upgrade their OpenSSL engine to 3.0.7 immediately.
- Cloudpaging Player & Studio – While Cloudpaging Player 9.3.3 and Studio 9.3.0 use OpenSSL, they do not utilize the use functionalities affected by the vulnerabilities.
- Cloudpaging CDN – Cloudpager does not use Open SSL 3 and is not affected.
- Cloudpager – Cloudpager does not use Open SSL 3 and is not affected.
Security is a top concern here at Numecent. While there are no vulnerabilities impacting the current implementation of OpenSSL used by Cloudpaging Player and Cloudpaging Studio, we will be providing an update to ensure our customers have the latest OpenSSL 3 version available.
Numecent will continue to monitor and provide updates to the potential impact of the vulnerability on Numecent managed services and on-premises installations.