Are rsyslog Windows Agent products affected by recent OpenSSL CVEs?#
Question#
Are rsyslog Windows Agent products affected by recent OpenSSL CVEs? Which OpenSSL version do the products use, and are the vulnerable components used?
Problem#
Customers may see OpenSSL security advisories (e.g., multiple CVEs from OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, or 1.1.1/1.0.2 branches) and need to know:
Whether rsyslog Windows Agent is affected by specific CVEs
Which OpenSSL version is shipped with rsyslog Windows Agent
Whether the vulnerable code paths or components are used
Symptoms#
Security or compliance teams request a formal assessment of OpenSSL CVEs for rsyslog Windows Agent
Scans or reports may flag rsyslog Windows Agent due to bundled OpenSSL
No observable runtime failure; this is a security/compliance assessment topic
Solution#
rsyslog Windows Agent v8.x uses a specific OpenSSL version (e.g., 3.2.1). OpenSSL advisories list affected version ranges per CVE. Many CVEs affect only certain release branches (e.g., 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1, 1.0.2) and do not include all minor lines (e.g., 3.2.x).
If rsyslog Windows Agent ships OpenSSL from a branch that is not in the affected set for a given CVE, the product is not vulnerable to that CVE regardless of whether the vulnerable API exists in the code base.
Information:
OpenSSL versions are embedded into the product statically without dependencies on system-installed versions
The product uses its own bundled OpenSSL library, independent of any OpenSSL installation on the system
This means system OpenSSL updates do not affect the product, and conversely, the product’s OpenSSL does not affect system security
Important Notes:
OpenSSL version information for your specific build can be obtained from Adiscon Support
Adiscon monitors security advisories and provides updates as necessary
For the most current information, consult the rsyslog Windows Agent release notes or contact Support