Security News > 2022 > November > High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786)
Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes or potentially remote code execution.
After its disclosure to the OpenSSL Project team, OpenSSL committer Viktor Dukhovni found "a second independently triggerable issue" - CVE-2022-3786.
The vulnerabilities have been fixed in OpenSSL v3.0.7, and don't affect OpenSSL 1.1.1s or earlier versions in that branch.
Censys has created an interactive dashboard showing servers running a version of OpenSSL greater than or equal to 3.0.0.
The OpenSSL team still encourages users to upgrade to a new version as soon as possible, but the urgency can be toned down.
"Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable. This includes TLS clients, and TLS servers that are configured to use TLS client authentication," the OpenSSL team noted, and added that users operating TLS servers may consider disabling TLS client authentication until fixes can be applied.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-01 | CVE-2022-3786 | Classic Buffer Overflow vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
| 2022-11-01 | CVE-2022-3602 | Out-of-bounds Write vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |