Expert Guide, NewsCurrent vulnerabilities in OpenSSL CVE-2022-3602, CVE-2022-3786

Markus Stumpf
Reading time: 1:07 minutes

Critical vulnerabilities in OpenSSL published. Learn now how IBM Spectrum Protect and IBM Spectrum Protect Plus are affected.

On 11/01/2022 two critical vulnerabilities in OpenSSL were published (see also Heise). These vulnerabilities were initially rated as "Critical", but have since been downgraded to "High".

IBM Spectrum Protect 

IBM Spectrum Protect implements the verification of TLS certificates with IBM's own Global Security Kit (GSKit). Thus, IBM client communications, password storage are not directly affected by these two vulnerabilities.

Our tip

Nevertheless, you should keep an eye on the IBM PSIRT blog, as IBM has announced to publish statements about the individual IBM products here.

 

 Go to the feed

IBM Spectrum Protect Plus

IBM Spectrum Protect Plus includes Open SSL in the appliance OVAs. Here you can check the installed versions:

Check if OpenSSL is present

[serveradmin@esplus20 ~]$ which openssl
/usr/bin/openssl

Check which OpenSSL version is present

[serveradmin@esplus20 ~]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

The sample output has been run on a Spectrum Protect Plus version 10.1.10, thus you can see that this appliance version is not affected as the CVEs only affect OpenSSL 3.0.0-3.0.6.

Attention

OpenSSL can still be part of the underlying operating systems regardless of the backup application. This can also be checked with the above commands.

Redhat partially affected

Redhat has already published that only RHEL 9 is affected, which is currently not yet released as an operating system for the IBM Spectrum Protect server:

https://access.redhat.com/security/cve/cve-2022-3786
https://access.redhat.com/security/cve/cve-2022-3602

Conclusion

Spectrum Protect and Spectrum Protect Plus are not affected by this vulnerability according to our current knowledge. We will continue to monitor the situation and update our website if there are any changes.

Do you have any questions? Feel free to contact us!