Advisory November 1, 2022

OpenSSL 3 High Vulnerability – CVE-2022-3602 & CVE-2022-3786

Obrela SOC

OpenSSL has announced an upcoming Critical vulnerability in OpenSSL 3.0.x. OpenSSL is used by vast numbers of applications, operating systems, and devices throughout the internet. Therefore, this vulnerability is likely to be extremely wide-reaching. The release of the latest version to patch this vulnerability occurred on Nov 1st, 2022, at 15:42 UTC and includes fixes for affected versions. The patch, addresses following issues:

  • Added RIPEMD160 to the default provider.
  • Fixed regressions introduced in 3.0.6 version.
  • Fixed two buffer overflows in punycode decoding functions.

As a result of subsequent analysis, the severity of the vulnerability fixed in OpenSSL 3.0.7 was corrected to High, one step below Critical.

It is the second time in history that a vulnerability of severity Critical was discovered in OpenSSL, following ” Heartbleed ” which was reported in 2014 and caused a stir all over the world . In addition, OpenSSL version 1 series is maintained in parallel with version 3 series, but version 1 series is not affected by the vulnerability discovered this time .

Vulnerable Versions

OpenSSL 3.0.x

Not Vulnerable versions

  • OpenSSL 1.1.1
  • OpenSSL 1.1.0
  • OpenSSL 1.0.2
  • OpenSSL 1.0.1
  • LibreSSL

Recommendation

It is highly recommended to update OpenSSL 3.0.x to the latest official version to patch this vulnerability.

OBRELA’s log collection components and any other information systems which support the provisioning of our MDR services are patched according to latest updates.

The Threat Hunting and SOC teams of Obrela remain vigilant and continue to monitor the activity.

Note: This article was updated on 2 November 2022.