OpenSSL has released a security update with fixes for two High risk vulnerabilities (CVE-2022-3786 and CVE-2022-3602).
An attacker could exploit these vulnerabilities to take over impacted systems.
OpenSSL is a software library for applications used to secure communications over the internet and is widely used by the majority of internet-facing HTTPS websites.
OpenSSL previously released an announcement on October 25, 2022 that forewarned of an upcoming “Critical” patch for a Critical vulnerability in OpenSSL versions 3.0 and above.
In a more recent security update on November 1, 2022, OpenSSL downgraded the vulnerabilities from Critical to High severity after receiving feedback on the issue from several organizations.
“We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1st November 2022 before being released to HIGH,” OpenSSL stated in a blog post.
As revealed in a security advisory, OpenSSL patched two High severity vulnerabilities:
- CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow
- CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow.
For both issues, “a buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.”
As a consequence, an attacker could craft a malicious email address in a certificate and cause a buffer overflow condition, which could result in a crash (causing a denial of service). Moreover, CVE-2022-3786 could also potentially lead to remote code execution.
OpenSSL 3.0 users are encouraged to upgrade to OpenSSL 3.0.7 as soon as possible.