In my case it is a DoD system and the openssl hits reference three nist concerns: CVE-2023-2975 CVE-2023-3446 CVE-2023-3817 I linked the nist articles, but apparently that isn't allowed. You can search them out if you want to. These are all considered medium vulnerabilities, except that under DoD the last one, authentication gets bumped up a notch because it is authentication related. OpenSSL has already addressed them. The question is when will Splunk integrate them into their own install packages. Going back to DoD and saying that it really isn't a big deal and I'm not going to fix it won't fly. The options are: get a vendor patch, get instructions from the vendor on how to patch it without an update, or update it without vendor support and hope you don't break anything.
... View more