Are EventReporter products affected by recent OpenSSL CVEs?#
Question#
Are EventReporter products affected by recent OpenSSL CVEs? Which OpenSSL version do the products use, and are the vulnerable components used?
Problem#
Customers may see OpenSSL security advisories (e.g., multiple CVEs from OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, or 1.1.1/1.0.2 branches) and need to know:
Whether EventReporter is affected by specific CVEs
Which OpenSSL version is shipped with EventReporter
Whether the vulnerable code paths or components are used
Symptoms#
Security or compliance teams request a formal assessment of OpenSSL CVEs for EventReporter
Scans or reports may flag EventReporter due to bundled OpenSSL
No observable runtime failure; this is a security/compliance assessment topic
Solution#
EventReporter v19.x uses a specific OpenSSL version (e.g., 3.2.1). OpenSSL advisories list affected version ranges per CVE. Many CVEs affect only certain release branches (e.g., 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, 1.0.2) and do not include all minor lines (e.g., 3.2.x).
If EventReporter ships OpenSSL from a branch that is not in the affected set for a given CVE, the product is not vulnerable to that CVE regardless of whether the vulnerable API exists in the code base.
Information:
OpenSSL versions are embedded into the product statically without dependencies on system-installed versions
The product uses its own bundled OpenSSL library, independent of any OpenSSL installation on the system
This means system OpenSSL updates do not affect the product, and conversely, the product’s OpenSSL does not affect system security
Important Notes:
OpenSSL version information for your specific build can be obtained from Adiscon Support
Adiscon monitors security advisories and provides updates as necessary
For the most current information, consult the EventReporter release notes or contact Support