Skip to content

Description:

OpenSSL has released a security advisory detailing two new high-severity vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affecting versions 3.0.0 to 3.0.6.

CVE-2022-3786 allows an attacker to use a specially crafted email address within a certificate to trigger a buffer overflow that could result in the program crashing, causing a denial of service. CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow, which an attacker could trigger with a specially crafted email address. The overflow could result in a crash or potentially remote code execution.

Although CVE-2022-3602 was originally classed as critical, it has since been downgraded to high severity. In a blog post, OpenSSL said that organisations performing testing on the vulnerability found that “many modern platforms implement stack overflow protections which would mitigate against the risk of remote code execution and usually lead to a crash instead”, and that on certain Linux distributes there was no crash or ability to cause remote code execution. These lowered chances of successful remote code execution have led to a downgrade in severity. OpenSSL has added, “We still consider these issues to be serious vulnerabilities, and affected users are encouraged to upgrade as soon as possible”. The organisation has stressed that OpenSSL versions 1.1.1 and 1.0.2 are not affected by these bugs and that they are currently not aware of either vulnerability being exploited in the wild.

Preventions:

To prevent exploitation of these vulnerabilities on your system, upgrade to OpenSSL version 3.0.7. They have added that users who obtain OpenSSL from their operating system vendor or a third party should seek an updated version as soon as possible.

If you are unable to upgrade, OpenSSL has recommended that users can consider disabling TLS client authentication until they can apply fixes.

Related Links: