Is Access Manager vulnerable to CVE-2015-3194 (Certificate verify crash with missing PSS parameter)

Document ID:7017046
Creation Date:04-Dec-2015
Modified Date:22-Jul-2016
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
CVE-2015-3194 (https://www.openssl.org/news/secadv/20151203.txt)

Situation

A new vulnerability (CVE-2015-3194) has been reported at https://www.openssl.org/news/secadv/20151203.txt that is specific to the certificate verification process. NAM does use this process - is NAM vulnerable to this threat as it frequently needs to verify certificates?

Resolution

NAM is not vulnerable to this threat as it's components do not verify the x509 certs using the openssl implementation.