All my phone systems have been flagged as being vulnerable to this exploit OpenSSL ver 1.0.2k is currently installed. The system has all currently available OS patches installed. Vulnerability is reported as being fixed in OpenSSL ver 1.0.2zf is there a plan to upgrade OpenSSL to a patched or newer version in SNG7.8.2003 any time soon so I can get our IT security/compliance group off my back
Whilst I don’t know the actual situation here, often what happens with Linux distributions is that security fixes are back ported to an older version, and the main version number remains unchanged, which can confuse security checks that don’t actually attempt the exploit.
Also, in a turnkey type system, the vulnerability maybe impossible to exploit, because there isn’t sufficiently open access to the general public.
I agree that while all are systems are open only to the internal network the problem is we are a k-12 school district so while we are isolated from the world as a whole, unlike most businesses we also face an internal risk from students with BYOT devices bringing god knows what into the network. While the BYOT devices are deployed into an isolated VLAN and the VoIP has its own dedicated VLAN as well there are still larger holes poked in the firewall between these networks than the outside world to allow for day-to-day internal operations. Nonetheless, the version of OpenSSL installed is still showing as being outdated no matter which way you look at it OpenSSL 1.0.2 went EOL Dec 20, 2019 so 2.5 years later would have thought that SNG7 would have migrated or at the very least be a plan to migrate to a supported version 1.1.1 or 3.0.0 but can find nothing so throwing the question out there