Protect Your Data and Boost Compliance: DPDP Act and Cybersecurity for Indian Manufacturers

Register Today
openssl-high-vulnerability

Analysis

On the 1st of November, OpenSSL published an advisory about two high-severity vulnerabilities that could lead to Denial of Service and remote code execution.

From this vulnerability a buffer overrun can be triggered in the verification of the certificate, specific to the name constraint check. By taking advantage of this, an attacker can craft a malicious email to overflow four attack-controlled bytes on a stack where it could lead to remote code execution or DoS.

OpenSSL has stated that there is no known exploit code present currently.

Polar bear reported this Vulnerability to OpenSSL and the vulnerability was initially identified as Critical severity and later changed to High severity, these vulnerabilities are classified as CVE-2022-3602 and CVE-2022-3786 in Common Vulnerability and Exposures Database.

The Vulnerable OpenSSL versions start from 3.0.1 to 3.0.6, the OpenSSL version 1.1.1 and 1.0.2 are not affected by these vulnerabilities.

CVEs of Vulnerable Products

  • CVE-2022-3602
  • CVE-2022-3786

Prevention

Update the OpenSSL to version 3.0.7 or to the latest available version.

References

OpenSSL

CISA.gov

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.