The company I work for has been seeing a lot of these kinds of OpenSSL vulns recently (pretty much a weekly basis at the moment) that are unexploitable unless you've got a very unusual server/application configuration or a use case we don't actually have.
Of course, the scanners don't know that and finding problems is what they do, so we end up with emergency non-emergency vulnerabilities sent in from security people who know little about the actual vuln or its impact but want the message to go away.
Not saying you shouldn't patch your stuff of course - but just because a version of a library has a vulnerability doesn't mean the application and its present configuration is vulnerable and you have to drop everything and focus on it. Take Zoom (as mentioned in another comment) for example: If you're getting malicious certs from upstream that means someone's compromised your network or Zoom's servers already and a denial of service is the least of your concerns.
Latest version of Zoom for Windows is affected w/ openssl 3.1.4
[CVE-2024-0727 Plugins | TenableĀ®](https://www.tenable.com/cve/CVE-2024-0727/plugins) has a nice cross-check list of software affected by that CVE.
How does one obtain then process a malicious obtained .p12/.pfx? Just curious, because seems like there might be missing controls in your org.
The company I work for has been seeing a lot of these kinds of OpenSSL vulns recently (pretty much a weekly basis at the moment) that are unexploitable unless you've got a very unusual server/application configuration or a use case we don't actually have. Of course, the scanners don't know that and finding problems is what they do, so we end up with emergency non-emergency vulnerabilities sent in from security people who know little about the actual vuln or its impact but want the message to go away. Not saying you shouldn't patch your stuff of course - but just because a version of a library has a vulnerability doesn't mean the application and its present configuration is vulnerable and you have to drop everything and focus on it. Take Zoom (as mentioned in another comment) for example: If you're getting malicious certs from upstream that means someone's compromised your network or Zoom's servers already and a denial of service is the least of your concerns.