High Severity Vulnerabilities in OpenSSL

Published on 02 Nov 2022

Updated on 02 Nov 2022

OpenSSL has released security updates to address two high-severity vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in its open-source cryptographic library, which is used to encrypt communication channels and HTTPS connections.

The vulnerabilities are as follows:

  • CVE-2022-3602 - A X.509 Email Address 4-byte Buffer Overflow that could trigger crashes, causing a denial of service or leading to a potential remote code execution (RCE).
  • CVE-2022-3786 - A X.509 Email Address Variable Length Buffer Overflow that can be exploited by an attacker using a crafted malicious email address to trigger crashes, causing a denial of service.

OpenSSL versions 3.0.0 to 3.0.6 are affected by these vulnerabilities. Administrators and users of the affected versions are advised to upgrade to version 3.0.7 immediately.

More information is available here:

https://www.openssl.org/news/secadv/20221101.txt

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/