Security Bulletin: OpenSSL vulnerabilities might impact IBM Cloud Application Business Insights - CVE-2022-3602 & CVE-2022-3786

Summary

OpenSSL vulnerabilities might impact IBM Cloud Application Business Insights - CVE-2022-3602 & CVE-2022-3786.

Vulnerability Details

CVEID:CVE-2022-3602
**DESCRIPTION:**OpenSSL is vulnerable to a stack-based buffer overflow, caused by improper bounds checking during X.509 certificate verification. By using a specially-crafted email address, a remote attacker could overflow a buffer and execute arbitrary code or cause the application to crash.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239161 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-3786
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a stack based buffer overflow during X.509 certificate verification. By using a specially-crafted email address in a certificate, a remote attacker could exploit this vulnerability to cause a TLS client to crash, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239165 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM Cloud Application Business Insights uses OpenSSL that is already installed on your system for secure communication. IBM Cloud Application Business Insights (ICABI) installation package does not include OpenSSL.

OpenSSL version 3.0.0 to 3.0.6 are impacted by this vulnerability. OpenSSL 1.1.1 and 1.0.2 are not affected by this vulnerability.

To check the OpenSSL version that is installed on a Linux server, enter the following command at the command line:
openssl version

**Fix -**You must upgrade OpenSSL 3.0 to OpenSSL 3.0.7.

For more information, see https://www.openssl.org/news/secadv/20221101.txt

Workarounds and Mitigations

None