OpenSSL Vulnerabilities: What will be Affected?
OpenSSL officially released two high-severity vulnerabilities affecting OpenSSL version 3.0.0 to 3.0.6. The vulnerabilities, CVE-2022-3786 and CVE-2022-3602, are closely related as they both can lead to X.509 Email Address Buffer Overflows. Although the severity has been downgraded from “Critical” during the pre-announcement, OpenSSL still considers these to be serious vulnerabilities and encourages affected users to upgrade as soon as possible. OpenSSL definition of high severity:
“High Severity: This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.”
Identification: How do I identify affected systems?
The Office of Information Technologies (OIT) will begin working with OIT departments and system administrators to identify and patch affected systems. For most systems, you will be able to use the openssl command line utility:
>> openssl version
Output Example: OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
Remediation: How do I fix this vulnerability?
OpenSSL version 3.0.7 is officially released. Affected users are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or another third party then you should seek to obtain an updated version from them as soon as possible.
The Information Security team would like to invite you to a briefing at 9:30 AM Wednesday, Nov. 2, https://notredame.zoom.us/j/92355361338. The discussion will focus on the vulnerability and the expected window for patching your systems running OpenSSL version 3.
OpenSSL Security Team Notice: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
OpenSSL Advisory: https://www.openssl.org/news/secadv/20221101.txt