                                                   JPCERT-AT-2022-0030
                                                             JPCERT/CC
                                                            2022-11-04

                  <<< JPCERT/CC Alert 2022-11-04 >>>

Alert Regarding Vulnerabilities (CVE-2022-3602, CVE-2022-3786) in OpenSSL

        https://www.jpcert.or.jp/english/at/2022/at220030.html


I. Overview
On November 1, 2022 (Local Time), OpenSSL Project released information
regarding the OpenSSL high severity vulnerabilities
(CVE-2022-3602, CVE-2022-3786).

OpenSSL has buffer overflow vulnerabilities that are triggered in X.509
certificate verification. An attacker exploiting the vulnerabilities
may be able to overflow four attacker-controlled bytes (CVE-2022-3602)
or any number of bytes (CVE-2022-3786) on the stack by crafting
a malicious email address in a certificate. As a result, the buffer
overflow could result in causing a denial of service (CVE-2022-3602,
CVE-2022-3786) or potentially remote code execution (CVE-2022-3602).
For more information on these vulnerabilities, please refer to the
information provided by the OpenSSL Project.

    OpenSSL Project
    OpenSSL Security Advisory [01 November 2022]
    https://www.openssl.org/news/secadv/20221101.txt

As of the time of the advisory publication (November 1, 2022),
OpenSSL Project is not aware of a report that the vulnerabilities may
have been actively exploited. Users of the affected versions are
recommended to address the issue as soon as possible by referring to
the information in "III. Solution".


II. Affected Software
The following versions are affected by these vulnerabilities:

- OpenSSL versions 3.0.x prior to 3.0.7

OpenSSL 1.1.1 and 1.0.2 are not affected by these vulnerabilities.


III. Solution
The OpenSSL Project has released a version of OpenSSL to address
these vulnerabilities.

  - OpenSSL 3.0.7


IV. References
    OpenSSL blog
    CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
    https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

    JVNVU#92673251
    Multiple vulnerabilities in OpenSSL (Text in Japanese)
    https://jvn.jp/vu/JVNVU92673251/

    NCSC-NL/OpenSSL-2022
    https://github.com/NCSC-NL/OpenSSL-2022
    The National Cyber Security Centre (NCSC) of the Netherlands has published a page on GitHub with an overview of this vulnerability and a list of products (un)affected by the vulnerability.

If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/