A wave of tools have been developed that will test for vulnerability to CVE-2014-0224 by changing the cipher specification before the initial TCP handshake is finished. If this is rejected, the tools list the PCS as safe. If not, it is listed as vulnerable.
The attack (for CVE-2014-0224) can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
7.2 and 7.3 are using OpenSSL based on versions earlier than 1.0.1 so the vulnerability of changing the cipher spec will not be exploitable on the server side. The tools used to check for this are checking for the kind of patch that was used to resolve the issue in later versions. Since 7.2 and 7.3 are not patched, the tools do not detect the behavior of the patch and list the PCS as vulnerable even though the attack is not possible to exploit. Hence it is a false positive.