Vulnerable ssleay32.dll in OCS Inventory Agent (CVE-2022-0778)

[Vancco]

Hello OCS Inventory Team,

We have identified that the OCS Inventory Agent includes a vulnerable version of ssleay32.dll in its installation folder:

• File path: C:\Program Files\OCS Inventory Agent\ssleay32.dll
• Detected version: 1.0.2r
• Vulnerability: CVE-2022-0778 (affects OpenSSL versions >= 1.0.2, < 1.0.2zd)

Could you confirm if this issue has been addressed in the latest version of the OCS Agent? If not, is there an update planned to replace the affected DLL?

Thank you for your assistance.

Best regards,

[gillesdubois]

Hi @Vancco

After investigating the issue, it doesn't seems we use the impacted function in our agent.
Nonetheless, we are going to provide an updated agent with openssl 1.0.2zd.

Thanks a lot for your feedback !

Regards,
Gilles DUBOIS.

[Vancco]

Dear Gilles,

Thank you for your prompt response and for investigating the issue. I appreciate your efforts in planning to update the agent with OpenSSL 1.0.2zd.

Given that the impacted function isn't utilized in the agent, would it be feasible to remove the vulnerable DLL entirely? This could potentially simplify the codebase and eliminate any associated security risks.

Thank you once again for your attention to this matter.

Best regards