OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)

Nov 07, 2022 GMT+08:00

I. Overview

Recently, it has been disclosed that there are two high-risk buffer overflow vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in OpenSSL 3.0.x versions. OpenSSL has a defect in X.509 certificate verification, which allows malicious email addresses to trigger buffer overflow. Successful exploitation of this vulnerability can cause denial of service (DoS) or remote code execution.

OpenSSL is a powerful secure socket layer password library. If you are an OpenSSL user, check your OpenSSL version and implement timely security hardening.

Reference: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

3.0.0 <= OpenSSL < 3.0.7

Secure versions:

OpenSSL 3.0.7

OpenSSL 1.x and 2.x versions are not affected by the two vulnerabilities.

IV. Security Recommendations

The two vulnerabilities have been fixed in version 3.0.7. Upgrade your affected versions to a secure version.

https://www.openssl.org/source/

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.