KB Article #177998

CFT vulnerability to CVE-2016-2108 and OpenSSL version included in 3.1.3

Problem

Why it is a reduced risk for OpenSSL CVE-2016-2108 and which OpenSSL version is included in 3.1.3?

Resolution

This is a reduced risk because this CVE can affect only internal connections to CG and Passport that

are possibly vulnerable (it is an all embeded mechanism).

--CFT313 includes: OpenSSL 0.9.8e (since SP7, with the TLS1.2 support, we are using a Axway internal code for TLS)

--CFT322 will possibly include: OpenSSL 1.0.1 (=> version can change before the GA release)

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.