Last Updated: November 7, 2022 at 15:44 (EST)
Active – Solace Product Updates Pending

CVE-2022-3602, CVE-2022-3786

Solace is aware of the recently reported OpenSSL vulnerability affecting versions 3.0.0 through 3.0.6. Details on the vulnerability are available here. Since its original announcement, this vulnerability has been downgraded from Critical to High severity with a CVSS3.x score of 7.5(High).

All Solace broker products have an impacted version of OpenSSL installed but are not exposed to this vulnerability given the use of the library.  Updated versions of all broker products will be released following our normal maintenance release schedule to remove the impacted version.

Additionally, OpenSSL 3.0 can be used in 1.1 compatibility mode. The Solace C, .NET, JavaRTO, Python and Go APIs use OpenSSL 1.1. If your organization has chosen to deploy applications using any of these APIs with OpenSSL 3.0 in 1.1 compatibility mode those applications may be exposed and you will need to patch the OpenSSL libraries.