Could the recently discovered OpenSSL 3.x vulnerability affect Laserfiche applications? Not sure what version of OpenSSL Laserfiche uses.
Thanks in advance
We have published a support site knowledgebase article about the vulnerability. You can find it here:
Laserfiche Support - OpenSSL 3.0 Vulnerability (CVE-2022-3602 and CVE-2022-3786)
For convenience, I have reproduced the contents of that post as of Nov 1, 2022 at 8:30pm CST below:
----------------
Summary
Laserfiche is aware of the OpenSSL 3.0 vulnerabilities publicly disclosed on November 1, 2022, as described in https://www.openssl.org/news/vulnerabilities.html. (CVE-2022-3602 and CVE-2022-3786)
Laserfiche's online services, including Laserfiche Cloud, are not affected by the vulnerabilities.
Laserfiche's self-hosted products do not ship with or use OpenSSL 3.0.x and are not directly affected by the vulnerabilities.
Related Links
Laserfiche products for self-hosted environments don't include OpenSSL, but there may be components of the larger solution (i.e. non-Laserfiche products) that need to be evaluated. Related: https://answers.laserfiche.com/questions/54083/Heartbleed-SSL-Vulnerability
Hi Justin,
We're currently looking into this and expect to have more information once the disclosure is released Nov 1, 2022.
With that said, self-hosted Laserfiche systems are unlikely to be meaningfully affected as Laserfiche applications that run on Windows like Web Client, Forms, Workflow, Directory Server, and Laserfiche Server all use the Windows Schannel SSP TLS implementation and not OpenSSL.