Last Updated: November 15, 2022
Resolved – Solace Product Updates Released

CVE-2022-3602, CVE-2022-3786

Solace is aware of the recently reported OpenSSL vulnerability affecting versions 3.0.0 through 3.0.6. Details on the vulnerability are available here. Since its original announcement, this vulnerability has been downgraded from Critical to High severity with a CVSS3.x score of 7.5(High).

All Solace broker products had an impacted version of OpenSSL installed but were not exposed to this vulnerability given the use of the library.  Maintenance releases released on November 15, 2022 addressed this issue.

Additionally, OpenSSL 3.0 can be used in 1.1 compatibility mode. The Solace C, .NET, JavaRTO, Python and Go APIs use OpenSSL 1.1. If your organization has chosen to deploy applications using any of these APIs with OpenSSL 3.0 in 1.1 compatibility mode those applications may be exposed and you will need to patch the OpenSSL libraries.