In late October 2022, reports emerged of an impending OpenSSL update for a critical vulnerability. On November 1, OpenSSL version 3.0.7 was released to address two high-severity buffer overflow vulnerabilities (CVE-2022-3602 and CVE-2022-3786) impacting versions 3.0.0 through 3.0.6. CVE-2022-3602 had originally been assigned a critical severity, but the OpenSSL project team determined after further review that it did not meet the criteria for a critical vulnerability. Due to the widespread distribution of OpenSSL source code, organizations should evaluate their risk to these issues and take appropriate action. Neither vulnerability is in active exploitation as of this publication.
Both vulnerabilities involve a potential buffer overrun in X.509 certificate verification. An attacker could exploit CVE-2022-3602 by crafting a malicious email address to overflow four attacker-controlled bytes, resulting in a denial of service or remote code execution. The exploitation of CVE-2022-3786 involves crafting a malicious email address to overflow an arbitrary number of bytes, which could cause a denial of service. For TLS clients, connecting to a malicious server could trigger these vulnerabilities.
Our Security Partner (Secureworks Counter Threat Unit researchers) recommend that customers review their environments for vulnerable versions and upgrade to version 3.0.7 as appropriate. The OpenSSL blog describes mitigations for organizations that cannot immediately upgrade.
If you have any questions or concerns about this advisory, please contact us via our support desk – firstname.lastname@example.org
- CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows – OpenSSL Blog
- OpenSSL version 3.0.7 published
- GitHub – NCSC-NL/OpenSSL-2022: Operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3
- OpenSSL-2022/README.md at main · NCSC-NL/OpenSSL-2022 · GitHub