Sherry Tha
unread,May 12, 2022, 11:51:09 AM5/12/22You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
Our security team have notified me of a vulnerability scan detected that is pretty high. The vulnerability (CVE-2022-1292) score is listed as 10.0 (critical) and was detected based on the presence of OpenSSL with a version prior to 1.1.1o running on port 443 on the server. I was able to verify that it is the Apache service that is utilizing that vulnerable version openSSL on port 443. This Apache HTTP Server 2.4 comes with a limited OpenSSL distribution which is at version OpenSSL 1.1.1n.
According to NVD Record for CVE-2022-1292, this c_rehash script/command issue is Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n) and we are only on OpenSSL 1.1.1n. How would i go about fixing this vulnerability? Do i wait for a new apache to be release to fix it is there a way to upgrade to a higher openSSL? I'm not all that slick with security yet : Please advise.