Security News > 2022 > November > High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786)

High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786)
2022-11-01 17:36

Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes or potentially remote code execution.

After its disclosure to the OpenSSL Project team, OpenSSL committer Viktor Dukhovni found "a second independently triggerable issue" - CVE-2022-3786.

The vulnerabilities have been fixed in OpenSSL v3.0.7, and don't affect OpenSSL 1.1.1s or earlier versions in that branch.

Censys has created an interactive dashboard showing servers running a version of OpenSSL greater than or equal to 3.0.0.

The OpenSSL team still encourages users to upgrade to a new version as soon as possible, but the urgency can be toned down.

"Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable. This includes TLS clients, and TLS servers that are configured to use TLS client authentication," the OpenSSL team noted, and added that users operating TLS servers may consider disabling TLS client authentication until fixes can be applied.


News URL

https://www.helpnetsecurity.com/2022/11/01/high-severity-openssl-vulnerabilities-fixed-cve-2022-3602-cve-2022-3786/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-11-01 CVE-2022-3786 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject nodejs CWE-120
7.5
2022-11-01 CVE-2022-3602 Out-of-bounds Write vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject netapp nodejs CWE-787
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Openssl 1 7 48 51 13 119