[Question]: openssl 1.0.2 vulnerability is being reported

[AshishDadhich4h2]

Task name

AzurePowerShell and AzureKeyVault

Task version

5.247.5 and 2.235.1

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows

Question

This is installing openssl 1.0.2 (last updated 12/2019) and has known vulnerabilities.
OpenSSL has strongly recommended upgrading vulnerable versions to the latest patch of 3.0.7 to address the potential impact of the vulnerabilities.

Is any plan to update openssl version?

[AshishDadhich4h2]

Message
AzurePowershell Task
CVE-2022-1292
File C:\agent_work_tasks\AzurePowerShell_72a1931b-effb-4d2e-8fd8-f8472a07cb62\5.248.3\ps_modules\VstsAzureHelpers_\openssl\openssl.exe version 1.0.2l is vulnerable to CVE-2022-1292, which exists in versions >= 1.0.2, < 1.0.2ze.

Keyvault Task
CVE-2022-2068
File C:\agent_work_tasks\AzureKeyVault_1e244d32-2dd4-4165-96fb-b7441ca9331e\2.247.1\node_modules\azure-pipelines-tasks-azure-arm-rest\openssl\openssl.exe version 1.0.2l is vulnerable to CVE-2022-2068, which exists in versions >= 1.0.2, < 1.0.2zf.