Imperva Cyber Community

Has Imperva put out any language on the OpenSSL fix released this week?

Understanding that it was downgraded from the anticipated critical rating, I still can't find any statement from Imperva about any exposure in the On-Prem WAF, much less any thing that says action is or is not necessary.

Thanks!
SK

#On-PremisesWAF(formerlySecuresphere)

------------------------------
Skott Klebe
Security Architect
EBSCO Information Services
Ipswich MA
------------------------------

WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


------------------------------
Anat Zadik
Engineering Manager
Imperva
Tel Aviv
------------------------------

Other than product impact, are there any policies that WAF can protect against vulnerabilities?

Thanks
JK


------------------------------
Cho Jae Ku
engineer
Cybertek holdings Inc
seoul
------------------------------

Original Message:
Sent: 11-03-2022 07:44
From: Anat Zadik
Subject: OpenSSL CVE-2022-3786 and CVE-2022-3602

WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


------------------------------
Anat Zadik
Engineering Manager
Imperva
Tel Aviv
------------------------------

I was asking because Imperva On-prem terminates some TLS, not because there's something that it can do to protect against those vulnerabilities.

------------------------------
Skott Klebe
Security Architect
EBSCO Information Services
Ipswich MA
------------------------------

Original Message:
Sent: 11-04-2022 00:39
From: Cho Jae Ku
Subject: OpenSSL CVE-2022-3786 and CVE-2022-3602

Other than product impact, are there any policies that WAF can protect against vulnerabilities?

Thanks
JK


------------------------------
Cho Jae Ku
engineer
Cybertek holdings Inc
seoul
------------------------------


Original Message:
Sent: 11-03-2022 07:44
From: Anat Zadik
Subject: OpenSSL CVE-2022-3786 and CVE-2022-3602

WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


------------------------------
Anat Zadik
Engineering Manager
Imperva
Tel Aviv

Hi how about DAM's in Imperva V2500 Database Activity Monitoring Virtual Appliance running Imperva SecureSphere 14.6, are they affected by this CVE?

------------------------------
mon-loi Perez
Manager
Singapore Network Information Centre
Singapore
------------------------------

Original Message:
Sent: 11-03-2022 07:44
From: Anat Zadik
Subject: OpenSSL CVE-2022-3786 and CVE-2022-3602

WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


------------------------------
Anat Zadik
Engineering Manager
Imperva
Tel Aviv
------------------------------

Thank you!
This is exactly the infomation I was looking for. 
SK

------------------------------
Skott Klebe
Security Architect
EBSCO Information Services
Ipswich MA
------------------------------

Original Message:
Sent: 11-03-2022 07:44
From: Anat Zadik
Subject: OpenSSL CVE-2022-3786 and CVE-2022-3602

WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


------------------------------
Anat Zadik
Engineering Manager
Imperva
Tel Aviv
------------------------------