High Severity OpenSSL 3.0.x Vulnerabilities Discovered (CVE-2022-3786 and CVE-2022-3602)
Reading time: 3 minutes
The OpenSSL project team has just announced a security fix targeting two distinct buffer overflow (CVE-2022-3786 and CVE-2022-3602) vulnerabilities impacting versions 3.0.0 to 3.0.6 of the popular open-source cryptographic platform.
According to the OpenSSL group, although high-severity vulnerabilities affect less “common configurations”, they’re still likely exploitable—examples here include an attacker’s ability to compromise server private keys and other sensitive memory content allowing for remote code execution scenarios.
In the case of CVE-2022-3602, exploitation may occur when a specially crafted malicious email address overruns a four-byte stack of the name constraint checking function attributed to the X.509 certificate validation procedure, while CVE-2022-3786 refers to a similar variable-length buffer overflow, but one that requires CA participation.
- What is OpenSSL?
- Am I affected?
- How to mitigate/patch this vulnerability
- How to identify your vulnerable hosts?
- Summing up
What is OpenSSL?
OpenSSL refers to a high-performance software library that enables secure communication, showcasing open-source alternatives of the SSL and TLS protocol stacks. This allows a wide range of applications that include the creation of self-signed certificates, server authentication, and a handful of similar cryptographic operations such as the generation and verification of file checksums or the encryption of data at rest.
Released back in September 2021, OpenSSL v3 marked a major milestone in the product’s development; however, until this date, v1 deployments vastly outpace any v3 implementations.
Vulnerable OpenSSL 3.0.x instances across popular CSPs (Source: Wiz.io)
Am I affected?
If you are running any OpenSSL version from 3.0.0 to 3.0.6, you are affected by these vulnerabilities, as you can see from the table below:
| Affected versions: | Not vulnerable: |
|
|
It’s important to also mention that frameworks like Node.js and Docker, have also published individual advisories regarding the role of OpenSSL 3.x in some of their offerings. This includes Node.js versions 18x and 19x, as well as close to 1,000 Docker image repositories based on some of the latest Linux distributions, which are known to install OpenSSL 3.x by default. An additional resource of both affected and unaffected platforms can be found here.
How to mitigate/patch this vulnerability
Users from 3.0.0 - 3.0.6 are encouraged to upgrade to OpenSSL 3.0.7. This is the only method to mitigate this vulnerability. This procedure can be done by using the source tar-ball, or you can also wait for the official release from your OS security repositories.
How to identify your vulnerable hosts?
Our Attack Surface Intelligence Risk Rules engine, specifically the ‘Vulnerable Version of OpenSSL’ rule has been updated to scan for these vulnerable versions on your projects, so you can keep your exposed OpenSSL 3.0.x installations detected right away.
Summing up
While the OpenSSL project’s timely disclosure of this vulnerability comes preloaded with a sense of urgency given the high severity classification, it is also worth mentioning that it only affects a small subset of the popular software. Take this moment to fully understand your risk exposure and, if impacted, get ready to patch as soon as possible.
