UPDATE: CRITICAL VULNERABILITY IN OPENSSL 3
Date: 01-10-2022
The developers of OpenSSL[1] released OpenSSL update version 3.0.7 on November 1, 2022. This version contains fixes to two HIGH risk vulnerabilities. Northwave recommends upgrading products that use OpenSSL as soon as possible. The OpenSSL developers originally announced a CRITICAL security update for OpenSSL version 3[2]. Northwave has informed you of this critical vulnerability in OpenSSL 3 in a previous Threat Response[3]. After new insights, the OpenSSL developers decided to downgrade the vulnerability to HIGH instead of CRITICAL, since exploitation is unlikely in common scenarios[4].
The vulnerabilities are tracked under CVE-2022-3786 and CVE-2022-3602.
Mitigation
OpenSSL released a security update to version 3.0.7 on Tuesday, the 1st of November that mitigates the vulnerability[2]. Following this, vendors will be able to integrate the new version into their products and release updates for these products.
What should you do?
Northwave recommends performing the following actions:
- Implement the security update of OpenSSL (version 3.0.7) as soon as suppliers have implemented the security update in their software.
What will Northwave do?
Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. We will also investigate whether any additional action can be taken based upon available information within our monitoring services.
You can call us by phone or send us an email if you would like additional information.
Sources
[1]: OpenSSL organization – https://www.openssl.org/
[2]: OpenSSL version 3.0.7 published – https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html
[3]: Threat Response: Critical Vulnerability in OpenSSL 3 – https://northwave-security.com/threat-response-critical-vulnerability-in-openssl-3/
[4]: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.