PDFTron Products and the OpenSSL Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)

On Tuesday October 25th, the OpenSSL maintainers announced that a Critical Vulnerability had been discovered impacting OpenSSL versions 3.0.0 to 3.0.6 (inclusive):

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Whilst also confirming that this does not impact any earlier versions of OpenSSL

openssl

Source: https://twitter.com/iamamoose/status/1584908434855628800

As soon as PDFTron became aware of the matter, an investigation was conducted to understand how this impacted the relevant products that make use of OpenSSL.

As of this writing, PDFTron has confirmed that there are product offerings that do make use of OpenSSL, however no PDFTron product offerings are currently using OpenSSL versions 3.0.0 to 3.0.6.

Furthermore, since the release of the patch, the severity of the issue has been downgraded from a Critical vulnerability to a High vulnerability. More details on the matter can be found here:

If there are any questions/concerns around this matter, please reach out to security (at) pdftron.com.

Correy Lim
Security Operations Manager

1 Like

This topic was automatically closed after 1 minute. New replies are no longer allowed.