Description
Some customers have reported security alerts from vulnerability scanning/reporting tools after deploying OpenVPN Connect v3.6.0, indicating the application is affected by vulnerability CVE-2021-3547 (OpenVPN 3 Core library 3.6 and 3.6.1 possible certificate authentication bypass with --verify-x509-name).
Important Note: Don't confuse the OpenVPN Connect v3 version with the OpenVPN Core Library version.
Resolution
- The fix for this vulnerability was introduced in OpenVPN 3 Core library version 3.6.2, as mentioned in the OpenVPN Community Wiki and Tracker.
- OpenVPN Connect v3.6.0 uses OpenVPN 3 Core library version 3.10.5, which includes the fix and was released after the vulnerability was addressed.
- The fix was first introduced in OpenVPN Connect v.3.3.0, which incorporated OpenVPN3 Core library version 3.6.2.
Therefore, OpenVPN Connect v3.6.0 isn't affected by CVE-2021-3547, and these security alerts can be dismissed as false positives.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.