OpenSSL released patches for two vulnerabilities that have caused widespread concern among cybersecurity experts and researchers over the last week and a half. OpenSSL is a commonly used code library designed to allow secured communication over the internet.
OpenSSL said it had lowered the severity rating for the latter bug after they were given technical feedback about its details and spent the last week working with several organizations to test the issue.
Two High Severity Vulnerabilities
The first vulnerability, CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow), is an arbitrary 4-byte stack buffer overflow that might trigger crashes or lead to remote code execution (RCE). CVE-2022-3602 is the vulnerability assessed as critical in the announcement.
According to the OpenSSL Blog, it became evident that certain Linux distributions were immune to the buffer overflow, therefore, to the crash and the RCE.
The second vulnerability, CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow), can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.
The company noted that the number of hosts running a 3.0.0 version of OpenSSL has slowly grown over the past few months from about 3,000 in August.
The vulnerabilities affect the OpenSSL version 3.0.0 – 3.0.6. Any platform that uses earlier versions is not affected by these vulnerabilities.
The vulnerabilities only affect the OpenSSL version 3.0.0 – 3.06, which is around 1.5% of the OpenSSL users, according to Wiz.io. Any platform that uses earlier versions is safe. The affected platforms should be upgraded as soon as possible to version 3.0.7.
As a mitigation, users can disable the TLS client authentication until they can apply the fix.