OpenSSL Security Advisories – CVE-2022-3602 and CVE-2022-3786

OpenSSL have just published 2 HIGH security advisories — previously pre-announced as a single CRITICAL advisory

The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts

As an interesting aside, this is the second big announce from OpenSSL – back in 2014, then announced Heartbleed. This protocol level vulnerability remains un-patched on a significant number of internet-accessible systems

Affected Software

NCSC-NL and other partners are building a list of software that is known to be vulnerable (or not) to this latest OpenSSL Vulnerability. This is NOT an exhaustive l list, but hopefully a useful reference!

More Information

For more information, check out these links!

Original Post

This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here

Leave a Reply

%d bloggers like this: