JPCERT-AT-2022-0030
JPCERT/CC
2022-11-04
OpenSSL has buffer overflow vulnerabilities that are triggered in X.509 certificate verification. An attacker exploiting the vulnerabilities may be able to overflow four attacker-controlled bytes (CVE-2022-3602)or any number of bytes (CVE-2022-3786) on the stack by crafting a malicious email address in a certificate. As a result, the buffer overflow could result in causing a denial of service (CVE-2022-3602,CVE-2022-3786) or potentially remote code execution (CVE-2022-3602).For more information on these vulnerabilities, please refer to the information provided by the OpenSSL Project.
OpenSSL Project
OpenSSL Security Advisory [01 November 2022]
https://www.openssl.org/news/secadv/20221101.txt
As of the time of the advisory publication (November 1, 2022),OpenSSL Project is not aware of a report that the vulnerabilities may have been actively exploited. Users of the affected versions are recommended to address the issue as soon as possible by referring to the information in "III. Solution".
- OpenSSL versions 3.0.x prior to 3.0.7
OpenSSL 1.1.1 and 1.0.2 are not affected by these vulnerabilities.
- OpenSSL 3.0.7
OpenSSL blog
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
JVNVU#92673251
Multiple vulnerabilities in OpenSSL (Text in Japanese)
https://jvn.jp/vu/JVNVU92673251/
NCSC-NL/OpenSSL-2022
https://github.com/NCSC-NL/OpenSSL-2022
The National Cyber Security Centre (NCSC) of the Netherlands has published a page on GitHub with an overview of this vulnerability and a list of products (un)affected by the vulnerability.
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2022-11-04
I. Overview
On November 1, 2022 (Local Time), OpenSSL Project released information regarding the OpenSSL high severity vulnerabilities(CVE-2022-3602, CVE-2022-3786).OpenSSL has buffer overflow vulnerabilities that are triggered in X.509 certificate verification. An attacker exploiting the vulnerabilities may be able to overflow four attacker-controlled bytes (CVE-2022-3602)or any number of bytes (CVE-2022-3786) on the stack by crafting a malicious email address in a certificate. As a result, the buffer overflow could result in causing a denial of service (CVE-2022-3602,CVE-2022-3786) or potentially remote code execution (CVE-2022-3602).For more information on these vulnerabilities, please refer to the information provided by the OpenSSL Project.
OpenSSL Project
OpenSSL Security Advisory [01 November 2022]
https://www.openssl.org/news/secadv/20221101.txt
As of the time of the advisory publication (November 1, 2022),OpenSSL Project is not aware of a report that the vulnerabilities may have been actively exploited. Users of the affected versions are recommended to address the issue as soon as possible by referring to the information in "III. Solution".
II. Affected Software
The following versions are affected by these vulnerabilities:- OpenSSL versions 3.0.x prior to 3.0.7
OpenSSL 1.1.1 and 1.0.2 are not affected by these vulnerabilities.
III. Solution
The OpenSSL Project has released a version of OpenSSL to address these vulnerabilities.- OpenSSL 3.0.7
IV. References
OpenSSL blog
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
JVNVU#92673251
Multiple vulnerabilities in OpenSSL (Text in Japanese)
https://jvn.jp/vu/JVNVU92673251/
NCSC-NL/OpenSSL-2022
https://github.com/NCSC-NL/OpenSSL-2022
The National Cyber Security Centre (NCSC) of the Netherlands has published a page on GitHub with an overview of this vulnerability and a list of products (un)affected by the vulnerability.
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/