OpenSSL critical vulnerability

On October 25th, 2022, the OpenSSL project team announced that the forthcoming version 3.0.7 would be released on November 1, 2022 to address a critical severity vulnerability affecting OpenSSL versions 3.0 and newer.

Schneider Electric is aware of two vulnerabilities tracked as CVE-2022-3786 and CVE-2022-3602 in the third-party component, OpenSSL. We are working to assess how these vulnerabilities impact Schneider Electric offers.

We recommend customers implement cybersecurity best practices across their operations as outlined in the Schneider Electric Recommended Cybersecurity Best Practices document.

For a list of impacted products and remediations, please refer to Schneider Electric's security bulletin which contains the most up to date information:
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

As additional information related to this vulnerability presents, products could move from non-impacted to impacted status.

Based on the current information and analysis available, the following products are not impacted by the OpenSSL vulnerability:

• Data Center Expert (DCE)

• EcoStruxure IT Gateway and Gateway Appliance

• EcoStruxure IT Expert (ITE)

• IT Advisor (ITA) (hosted and on premise)

• Data Center Operations (DCO)

• NetBotz v4.x (355, 450, 455, 550, 570)

• NetBotz v5.x (750, 755)
• NetBotz 250
• NetBotz Wireless Sensor Update Utility