v1.8.1.26 is vulnerable to CVE-2025-15467 - risk score 9.8

[hegyre]

Dear team,

After installing version 1.8.1.26, our vulnerability scanner reported critical risk score 9.8:

Vulnerable software openssl 3.4.1.0 found.

Disk paths:
c:\programdata\amazon\codedeploy\bin\ocran014315abce47\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran014315abce47\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0143346d018a\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0143346d018a\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000022f8b88a\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000022f8b88a\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000017c191dd\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000017c191dd\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000019f6c87c\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000019f6c87c\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000020434ac1\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran000020434ac1\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0148d5fc2d6c\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0148d5fc2d6c\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0149e4aa3a50\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran0149e4aa3a50\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00001ded26ac\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00001ded26ac\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00ee1fd7eff6\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00ee1fd7eff6\bin\ruby_builtin_dlls\libssl-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00ee2febf559\bin\ruby_builtin_dlls\libcrypto-3.dll
c:\programdata\amazon\codedeploy\bin\ocran00ee2febf559\bin\ruby_builtin_dlls\libssl-3.dll

Description:
A vulnerability in OpenSSL allows a stack buffer overflow when parsing CMS AuthEnvelopedData messages with maliciously crafted AEAD parameters, such as an oversized Initialization Vector (IV). This issue occurs before authentication or tag verification, potentially leading to a crash or remote code execution.

Impact:
Exploitation of this vulnerability can result in Denial of Service (DoS) or remote code execution, depending on platform and toolchain mitigations.

Additional Information:
The issue affects OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0, but not versions 1.1.1 and 1.0.2. The FIPS modules in these versions are not impacted as the CMS implementation is outside the OpenSSL FIPS module boundary.