4. What’s Fixed in 7.3.0

[Critical]: System-stopping issue, such as a crash or data loss.
[Major]: Significant issue with no easy workaround.
[Minor]: Issue that usually has a workaround.
[Trivial]: Small issue, such as a typo in a log.

4.1. [Critical] Potential Crash on Windows when using OpenSSL due to a vulnerability in OpenSSL

TLS Support had a third-party dependency on OpenSSL, which is known to be affected by a number of publicly disclosed vulnerabilities.

These vulnerabilities have been fixed by upgrading OpenSSL to version 3.0.12. See Upgraded OpenSSL to version 3.0.12 for more details.

4.1.1. User Impact without Security

The impact on Connext applications of using the previous version was as follows:

• Exploitable by triggering the calculation of a POLY1305 MAC (message authentication code) of data larger than 64 bytes on a Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.

• The application could crash or fall under the complete control of the attacker.

• CVSS Base Score: 7.8 HIGH

• CVSS v3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.1.2. User Impact with Security

Same as “User Impact without Security.”

[RTI Issue ID COREPLG-721]