Intel® Software Products Advisory for OpenSSL Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) Advisory

Summary:

Security vulnerabilities in OpenSSL for some Intel® software products may allow denial of service. Intel is releasing software product updates to mitigate these vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-3602 (Non-Intel issued) and CVE-2022-3786 (Non-Intel issued)

Description: Improper buffer restrictions in OpenSSL before version 3.0.7 for some Intel® software products may allow an unauthenticated user to potentially enable denial of service via network access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Product Matrix:

Intel’s top priority remains the security of our clients and products. Product teams are releasing remediations for OpenSSL as quickly as possible, moving to the latest version available when developing mitigations.

The Intel product portfolio is under investigation to determine if the products are affected by CVE-2022-3602 and CVE-2022-3786 which are mitigated by OpenSSL version 3.0.7. OpenSSL 1.1.1 and 1.0.2 are not affected by these issues.

The vulnerabilities in OpenSSL identified by CVE-2022-3602 and CVE-2022-3786 involve buffer overruns that can be triggered in X.509 certificate verification. As such, Intel hardware products and graphic driver products are not affected.

While Intel has completed our initial scanning efforts, with so much active industry research on OpenSSL, mitigation and remediation, recommendations will continue to evolve. We are actively assessing the latest OpenSSL developments and will share updates accordingly. Please continue to check this advisory for updates.