The OpenSSL project team has announced two new, high-severity vulnerabilities impacting OpenSSL versions 3.0 and later:
- CVE-2022-3602, X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
- X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
OpenSSL versions 3.0 - 3.0.6 users are recommended to upgrade to the safe version 3.0.7. Versions 1.1.1 and 1.0.2. are not impacted by the vulnerability.
These vulnerabilities both relate to how OpenSSL verifies X.509 certificates. Specifically, maliciously crafted email addresses in a certificate can cause a buffer overflow that may lead to a denial of service or remote code execution.
OpenSSL is a library for securely transmitting data over the internet. Servers all over the world use OpenSSL to manage secure data transmission over protocols like SSH and, more familiarly, HTTP/S. It’s an open source implementation of the SSL and TLS protocols and is the de facto standard for securing data in transit; it’s probably best known as the provider of the “S” in HTTPS.
OpenSSL initially characterized the vulnerability as “critical” in an Oct. 25 announcement; it has since downgraded the severity to “high."
OpenSSL Vulnerability 2022 Details
The 2022 OpenSSL vulnerabilities (CVE-2022-3602 and CVE-2022-3786) both fall into the category of buffer overflow. A buffer overflow occurs when a program attempts to access (read or write) an address in memory that is beyond the range of an allocated buffer. Although this type of invalid memory access will often be detected and prevented by the operating system, there are scenarios where a malicious actor can leverage a buffer overflow to cause a program to crash, or, in severe cases, execute arbitrary code.
Additionally, OpenSSL classifies both CVE-2022-3602 and CVE-2022-3786 as high-severity vulnerabilities.
OpenSSL organizes vulnerabilities into four categories. They are (from least severe to most severe): low, moderate, high, and critical. OpenSSL’s explanation for “high” reads in part
“This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions.”
How to Find and Fix OpenSSL Vulnerability 2022
FOSSA Vulnerability Management subscribers can use our product to help detect vulnerable versions of OpenSSL by doing the following:
For supported languages:
- Import your project using our CLI tool (preferred, most accurate) or using our Quick Import tool (easiest to use for non-technical users)
- Navigate to your project in the UI and view your security issues.
Please note, FOSSA will not detect dynamically linked OpenSSL binaries — we provide best effort results for OpenSSL from language package managers.
For container projects:
Import your container project using our CLI tool by running
fossa container analyze
Navigate to your project in the UI and view your security issues .You can also use FOSSA’s newest product supporting C and C++ projects.
As mentioned, if you are using a vulnerable version of OpenSSL, it’s recommended that you upgrade to the safe version 3.0.7.
If you aren’t currently a FOSSA user, you can get started by selecting one of the following options:
- Request a demo of FOSSA Vulnerability Management (recommended for larger organizations)
- Sign up for the free version of FOSSA (recommended for individuals and small organizations)
FOSSA customer support engineer Sara Beaudet, software engineer Andrew Dailey, and security engineering manager Solomon Rubin contributed to this post.