This document addresses concerns about ePO and the
OpenSSL vulnerability documented in
CVE-2021-3712 and
CVE-2021-23840.
The
OpenSSL vulnerabilities are referenced in the
OpenSSL Security Advisory issued on
August 24, 2021.
NOTES:
- The OpenSSL Security Advisory references CVE-2021-3711 in addition to CVE-2021-3712.
- CVE-2021-3711 doesn't apply to OpenSSL version 1.0.2.
- Because version 1.0.2 is the only OpenSSL version used by currently supported versions of ePO, CVE-2021-3711 doesn't apply to ePO.
For
CVE-2021-3712 and
CVE-2021-23840, our investigation is complete and is now documented in
SB10366 - Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat.
