Cisco has released a security advisory for OpenSSL vulnerabilities affecting Cisco products.
The Cisco update comes shortly after OpenSSL patched two High severity vulnerabilities on November 1, 2022:
- CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow
- CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow.
OpenSSL previously released an announcement on October 25, 2022 that forewarned of an upcoming “Critical” patch for a Critical vulnerability in OpenSSL versions 3.0 and above.
In a more recent security update on November 1, 2022, OpenSSL downgraded the vulnerabilities from Critical to High severity after receiving feedback on the issue from several organizations.
Although Cisco is still actively investigating which products may be affected by the OpenSSL vulnerabilities, the tech giant noted “OpenSSL 3.x is not widely used in Cisco products and cloud offers.”
As a result, Cisco only found one vulnerable product so far as of September 4, 2022 that is affected by the OpenSSL vulnerabilities: IoT Field Network Director (formerly known as Connected Grid Network Management System).
Cisco is investigating multiple networking and cloud products for impact to the OpenSSL vulnerabilities and will update the advisory as new details from the investigation emerge.