The OpenSSL Project has released patches for two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections. The vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affect OpenSSL version 3.0.0 and later.
CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE). CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state via a buffer overflow.
The OpenSSL Project develops and maintains commercial-grade software for general-purpose cryptography and secure communication.
Impact
The bugs were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates) and do not affect releases prior to 3.0. Any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable, including TLS clients and servers configured to use TLS client authentication.
DXC perspective
Although OpenSSL has downgraded the vulnerabilities from critical to high, the organization considers them serious, and encourages OpenSSL 3.0.0 - 3.0.6 users to upgrade to 3.0.7 as soon as possible. Regularly upgrading software and securing your infrastructure with advanced threat protection tools helps guard against vulnerabilities.