High severity vulnerabilities detected in OpenSSL 3.0.2/3.0.5/3.0.7

High severity vulnerabilities detected in OpenSSL 3.0.2/3.0.5/3.0.7

Hello everyone,

 

OpenSSL has released a list of vulnerabilities detected in 3.0.7 (both in 32-bit and 64-bit versions) in case of Windows, and in versions 3.0.2 and 3.0.5 in case of Ubuntu. Vulnerability Manager Plus detects these vulnerabilities for affected machines once the database sync is completed. The customers can manually update the application.

 

The CVE details for Windows are as follows:

CVE ID
Vulnerability ID
Vulnerability
Vulnerability Name
CVE-2022-3602
163471
Buffer overrun
CVE-2022-3786,CVE-2022-3602 are fixed in OpenSSL (x64) 3.0.7
CVE-2022-3786
163472
Buffer overrun

Vulnerabilities CVE-2022-3786,CVE-2022-3602 are

fixed in OpenSSL 3.0.7

For more details, refer to this link.
The CVE and patch details for Ubuntu are as follows:

CVE ID
Vulnerability
Bulletin ID
Patch Name
CVE-2022-3786
Buffer overrun
USN-5710-1
libssl3_3.0.2-0ubuntu1.6_amd64.deb
CVE-2022-3602
Buffer overrun
USN-5710-1
libssl3_3.0.2-0ubuntu1.6_amd64.deb
CVE-2022-3786
Buffer overrun
USN-5710-1
libssl3_3.0.2-0ubuntu1.6_i386.deb
CVE-2022-3602
Buffer overrun
USN-5710-1
libssl3_3.0.2-0ubuntu1.6_i386.deb
CVE-2022-3786
Buffer overrun
USN-5710-1
libssl3_3.0.5-2ubuntu1_amd64.deb
CVE-2022-3602
Buffer overrun
USN-5710-1
libssl3_3.0.5-2ubuntu1_amd64.deb
CVE-2022-3786
Buffer overrun
USN-5710-1
libssl3_3.0.5-2ubuntu1_i386.deb
CVE-2022-3602
Buffer overrun
USN-5710-1
libssl3_3.0.5-2ubuntu1_i386.deb

For more details, refer to this link:

 

According to Mitre:

 

CVE-2022-3602 is a buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution.

 

CVE-2022-3786 is a buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

 

Cheers,

The ManageEngine Team

 

 


              New to ADManager Plus?

                New to ADSelfService Plus?