OpenSSL Security Advisories – CVE-2022-3602 and CVE-2022-3786

OpenSSL have just published 2 HIGH security advisories — previously pre-announced as a single CRITICAL advisory

The update patches a buffer overrun vulnerability that happens during the certificate verification. The certificated needs to contain a malicious Punycode encoded name, and the vulnerability is only triggered AFTER the certificate chain is verified. An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts

As an interesting aside, this is the second big announce from OpenSSL – back in 2014, then announced Heartbleed. This protocol level vulnerability remains un-patched on a significant number of internet-accessible systems

Affected Software

NCSC-NL and other partners are building a list of software that is known to be vulnerable (or not) to this latest OpenSSL Vulnerability. This is NOT an exhaustive l list, but hopefully a useful reference!

More Information

For more information, check out these links!

Original Post

This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here