Dyalog and Security-related Vulnerabilities
Last updated 2024-04-02
We occasionally receive enquiries as to the susceptibility of Dyalog, or applications implemented in Dyalog, to security‑related vulnerabilities. This page lists vulnerabilities that we have either responded to or been asked to comment on.
XZ Utils vulnerability
Last updated 2024-04-02
CVE-2024-3094:No part of Dyalog APL or its associated features makes use of XZ in any form. We have verified that none of our internal or outward-facing servers are affected.
GnuTLS
Last updated 2022-07-04
Our secure TCP layer, known as Conga, uses GnuTLS to implement secure communications. We monitor security bulletins related to GnuTLS, and re-compile and make new versions of Conga available as required.
CVE-2014-0092: On all platforms, Conga v2.4 and earlier are exposed to the security bug described in CVE-2014-0092. This affects the use of Conga with secure communications (SSL and TLS) only. Conga v2.5 was recompiled in March 2014 against GnuTLS 3.2.12, which contains a fix for this issue.
OpenSSL
Last updated 2022-12-14
The Dyalog interpreter does not make any use of OpenSSL. The Dyalog Cryptographic Library provides APL applications with access to cryptographical functions supplied by OpenSSL, but does not use OpenSSL 3.0 or provide access to TLS/SSL features of the library.
CVE-2022-3786, CVE-2022-3602 and CVE-2022-3996: No part of Dyalog, nor any libraries shipped by Dyalog Ltd, make use of the affected versions of OpenSSL. We have verified that none of our internal or outward-facing servers are affected.
zlib
Last updated 2023-01-20
Both the Dyalog APL interpreter and Conga make use of zlib.
CVE-2022-37434: Although all currently released versions make use of various versions up to and including 1.2.12, neither the interpreter or Conga make use of the affected function inflateGetHeader and thus neither are open to the vulnerability .
Java
Last updated 2022-07-04
Dyalog is not vulnerable to any Java-related security issues: No part of Java is required or included with Dyalog itself. Examples of recent vulnerabilities are:- CVE-2021-44228 (Apache Log4j)
- CVE-2022-22965 (Spring MVC or Spring WebFlux)
Dyalog uses the Jenkins automation server internally, to schedule jobs which build Dyalog. Our use of Jenkins only relies on the Java runtime engine.