Imperva Cyber Community

 View Only
  • 1.  OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-02-2022 13:19

    Has Imperva put out any language on the OpenSSL fix released this week?

    Understanding that it was downgraded from the anticipated critical rating, I still can't find any statement from Imperva about any exposure in the On-Prem WAF, much less any thing that says action is or is not necessary.

    Thanks!
    SK


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Skott Klebe
    Security Architect
    EBSCO Information Services
    Ipswich MA
    ------------------------------


  • 2.  RE: OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-03-2022 07:44
    WAF GW and Cloud WAF products do not use OpenSSL v3 and therefore not vulnerable to these CVEs.


    ------------------------------
    Anat Zadik
    Engineering Manager
    Imperva
    Tel Aviv
    ------------------------------



  • 3.  RE: OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-04-2022 08:50
    Other than product impact, are there any policies that WAF can protect against vulnerabilities?

    Thanks
    JK


    ------------------------------
    Cho Jae Ku
    engineer
    Cybertek holdings Inc
    seoul
    ------------------------------



  • 4.  RE: OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-04-2022 09:51
    I was asking because Imperva On-prem terminates some TLS, not because there's something that it can do to protect against those vulnerabilities.

    ------------------------------
    Skott Klebe
    Security Architect
    EBSCO Information Services
    Ipswich MA
    ------------------------------



  • 5.  RE: OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-04-2022 08:50
    Hi how about DAM's in Imperva V2500 Database Activity Monitoring Virtual Appliance running Imperva SecureSphere 14.6, are they affected by this CVE?

    ------------------------------
    mon-loi Perez
    Manager
    Singapore Network Information Centre
    Singapore
    ------------------------------



  • 6.  RE: OpenSSL CVE-2022-3786 and CVE-2022-3602

    Posted 11-04-2022 09:52
    Thank you!
    This is exactly the infomation I was looking for. 
    SK

    ------------------------------
    Skott Klebe
    Security Architect
    EBSCO Information Services
    Ipswich MA
    ------------------------------