OpenSSL: It's not the end of the world, but better have it patched!

Published on 7 November 2022 12:00 AM

🍿 1 min. read

This post thumbnail

In OpenSSL version 3.0.7, two vulnerabilities CVE-2022-3602 and CVE-2022-3786 were fixed at once, affecting OpenSSL versions 3.0.0 and higher (from 3.0.0 to 3.0.6).

CVE-2022-3602 was supposed to receive critical status, which is an arbitrary 4-byte stack buffer overflow that can cause failures or lead to remote code execution (RCE). In the end, this vulnerability was assigned a high severity rating. Vulnerable versions of OpenSSL 3.0 and later.

The most detailed report on CVE-2022-3602.

CVE-2022-3786 can be used by potential attackers through malicious email addresses, and is capable of provoking a denial of service through buffer overflow.

It's not as bad as it might seem. Affects only versions from 3.0.0 to 3.0.6, the exploitation is not trivial, but it is also not worth delaying the update. If you are using OpenSSL from 3.0.0 to 3.0.6 included, you should upgrade to 3.0.7.