On November 1, 2022, the OpenSSL Project announced the following vulnerabilities, lowering the initial assessment from critical high impact:
- CVE-2022-3602 – X.509 Email Address 4-byte Buffer Overflow
- CVE-2022-3786 – X.509 Email Address Variable Length Buffer Overflow
Esri has already received customer requests for applicability of the vulnerability and there is significant media attention to this vulnerability, therefore we have published this announcement.
OpenSSL 3.x is not widely utilized in Esri products and online services. If you have identified a specific concern, please report the concern through the ArcGIS Trust Center report a concern page.
For the current OpenSSL Project communication on this issue, see the OpenSSL Security Advisory.
- Esri Software Security & Privacy