CVE-2022-3602 and System.Security.Cryptography.OpenSsl #77864
-
|
There's a security advisory of an important OpenSSL vulnerability between version 3.0 and fixed in 3.7. Is there a way to determine if the System.Security.Cryptography.OpenSsl.dll file included in most of my .NET6 applications after doing a publish is affected? The versioning is using a different number. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Thanks, but do you know which openssl assembly does it invoke? I see that the Linux docker images got patched, but what about running the application natively on Windows? Is there one bundled in the OS? It's not required for users to install OpenSSL manually to run the application, so I'm confused about that "listed as a dependency" sentence. The managed dll must be there for a reason and it probably does invoke a real one lying somewhere? Sorry for this clarification request, I just want to have a clear answer to give to my users to appease their fear. |
Beta Was this translation helpful? Give feedback.
-
OpenSSL isn't ever used on Windows. The assembly on Windows is throwing |
Beta Was this translation helpful? Give feedback.
System.Security.Cryptography.OpenSslis a managed assembly that invokes openssl.I don't believe .NET runtime ships a copy of OpenSSL, since it's listed as a dependency.