How do I check if OpenSSL is compromised (CVE-2025-15467)?
0
Hi all,There is a security advisory https://openssl-library.org/news/secadv/20260127.txt for OpenSSL. How do I check if this affects our apps? I know there is reference to org.bouncycastle.openssl which is found in bcpkix I believe, but I am lost when it comes to checking versions, dependencies, etc.There is not yet a Siemens advisory regarding this.
asked
Patrick Jansen-Ferdinandus
1 answers
0
Hello Patrick :)
The vulnerability CVE-2025-15467 is a high-severity stack buffer overflow specifically affecting the OpenSSL C library (native code), not the Java-based libraries typically used by Mendix.
Clarification: OpenSSL vs. Bouncy Castle
You mentioned org.bouncycastle.openssl found in bcpkix. It is important to distinguish between these two:
OpenSSL (Affected): This is a library written in C. The vulnerability exists in the way the native C code parses "AuthEnvelopedData" messages.
Bouncy Castle (Not Affected by this CVE): This is a Java library. While it has a package called org.bouncycastle.openssl, this package is merely a Java implementation that allows you to parse files formatted for OpenSSL (like .pem or .key files). It does not use the native OpenSSL C library.
Conclusion: Your Bouncy Castle dependencies (bcpkix-jdk15on, etc.) are not affected by CVE-2025-15467. You do not need to update Bouncy Castle to fix this specific OpenSSL bug.