ctrlX Products affected by OpenSSL Vulnerability CVE-2020-1971

Published

2020-12-18 00:00:00 UTC

Summary

BOSCH-SA-274557: The OpenSSL Software Foundation has published information [1] for OpenSSL versions prior to 1.1.1i (1.1.1 – 1.1.1h) and 1.0.2x (1.0.2 – 1.0.2w) regarding a weakness in the `GENERAL_NAME_cmp` function. The vulnerability could allow an attacker to provoke a null pointer dereference, potentially leading to a denial of service. Multiple components of Bosch Rexroth are shipped with a vulnerable OpenSSL version. The aforementioned function is not used directly by any Rexroth software component and therefore the risk of an attacker being able to exploit the vulnerability is considered as low. Nevertheless, it cannot be completely ruled out that the function might be called indirectly. It is therefore strongly advised to follow the suggested solution and mitigations.