Security News > 2022 > November > OpenSSL fixes two high severity vulnerabilities, what you need to know
The OpenSSL Project has patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections.
The vulnerabilities affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.
"We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible," the OpenSSL team said.
"If you know in advance where you are using OpenSSL 3.0+ and how you are using it then when the advisory comes you'll be able to quickly determine if or how you're affected and what you need to patch," Cox said.
While the initial warning prompted admins to take immediate action to mitigate the flaw, the actual impact is much more limited given that CVE-2022-3602 has been downgraded to high severity and it only impacts OpenSSL 3.0 and later instances.
Even though some security experts and vendors have equated the discovery of this vulnerability with the Log4Shell flaw in the Apache Log4J logging library, only roughly 7,000 Internet-exposed systems running vulnerable OpenSSL versions out of a total of more than 1,793,000 unique hosts spotted by Censys online - Shodan lists around 16,000 publicly accessible OpenSSL instances.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-01 | CVE-2022-3602 | Out-of-bounds Write vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |