Open-source Languages & Tools for z/OS

 View Only

 Are any Rocket z/OS tools affected by OpenSSL vulnerability CVE-2022-3602 ?

Richard Walton's profile image
PARTNER Richard Walton posted 11-02-2022 17:02
Hi.

OpenSSL recently reported critical/high vulnerability CVE-2022-3602 which is a buffer overrun in v3.x that is fixed in v3.0.7.

Can you confirm that this vulnerability is not present in the OpenSSL supplied with Rocket z/OS Open-Source tools or any other z/OS tool supplied by Rocket?

The "openssl version" command shows OpenSSL at v1.0.2 in Rocket Open-Source tools for z/OS so it would appear that this version is not affected.

Thanks.
Alexander Klochkov's profile image
ROCKETEER Alexander Klochkov posted 11-03-2022 07:29
Hi Richard,

According to nvd.nist.gov, CVE-2022-3602 only affects versions 3.0.x. The current version of OpenSSL in Rocket Open AppDev for Z is 1.1.1k and has been updated recently to include the latest security fixes.

Thanks,
Alexander
Peter Fandel's profile image
Peter Fandel posted 11-04-2022 10:28
Hi Richard, did I read correctly you are running v1.0.2 of Open SSL?!  That build is years old and has a great many vulnerabilities I am sure.  Possibly none that are critical in severity and we know this latest CVE does not affect you but your version is so old I don't even have records anymore so I can't even tell you which vulnerabilities it has.  If you are counting on being up to date with security vulnerabilities I strongly recommend getting on paid support as using our ports without support means you are always running up to six months behind on security fixes.