Pleasant Password Server Products NOT Affected by OpenSSL 3.x Vulnerability
Regarding: OpenSSL 3.x Vulnerabilities - CVE-2022-3602, CVE-2022-3786
Password Server does NOT use OpenSSL and is NOT vulnerable to these attacks:
- OpenSSL is an open source software toolkit, and as such, OpenSSL releases are basically source code releases.
Password Server products do NOT use this component and we have checked thoroughly that they are unaffected by this vulnerability:
- Password Server
- KeePass for Pleasant
- Mac Client
- Mobile Clients (android/iOS)
- Password Safe Client
- Self-Serve Reset
- Auto-Fill (browser extension)
Pleasant Password Server components:
- Server Side:
- Password Server does not use or rely on OpenSSL. Instead other cryptography libraries are used (all of which do not use or rely on OpenSSL), including Microsoft's cryptography library (System.Security.Cryptography).
- Client Side:
- Password Server client's do does not use or rely on OpenSSL. Instead other cryptography libraries are used (all of which do not use or rely on OpenSSL).
- Hosting components:
- Password Server is not hosted using OpenSSL component: IISExpress (default), IIS (recommended).
Update Pleasant Password Software
However, recent releases of Password Server include other important Pleasant Password Server Security Updates that require updating for other unrelated issues.
Download unrelated security patches (Stable / Latest):
Further Mitigation in Your Systems
If your organization uses this OpenSSL 3.0.0. and above product elsewhere, you should resolve by:
- Update immediately any copies of OpenSSL in your network:
-
to OpenSSL version 3.0.7 (expected on Nov 1, 2022)
-
-
More Details:
- Microsoft Response:
- Akaimai Blog Security research:
- Microsoft's cryptography library (System.Security.Cryptography)