Vulnerabilities in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll, related to "OpenSSL, Version: 1.1.1q"


#1 Djordje

Vulnerability scanner has discovered a number of vulnerabilities (CVE-2022-4450, CVE-2023-0215, CVE-2023-4807) related to “OpenSSL, version 1.1.1q” in NXLog libraries "libcrypto-1_1-x64.dll" and "libssl-1_1-x64.dll.

Are there concrete plans and deadlines for updating these libraries by moving to non-vulnerable OpenSSL versions?

#2 NenadMDeactivated Nxlog ✓ (Last updated )

NXLog can't commit to any specific date for the new NXLog CE version. This is an open source project.

Also, this seems to be a duplicate post so I'll just copy/paste the one already answered:
Hello Djordje,

If the modules are not used in the nxlog.conf file, it's very likely that you won't see any issues if you delete the corresponding dll files. But please don't do that straight into the production environment. Please do a test first. Also, please note that you might need to unregister the dll first. Please check the link: https://kb.blackbaud.com/knowledgebase/articles/Article/48728

Also, please tell us what is the NXLog CE version that you use? Is it that the latest one: nxlog-ce-3.2.2329? Does the Vulnerability scanner points to those files directly?