IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

OpenSSL 3.0 vulnerability: Patch released for security scare

The severity has been downgraded from 'critical' to 'high' and comparisons to Heartbleed have been quashed

The OpenSSL project has now lifted its embargo detailing the 'second-ever critical vulnerability patch' in the project’s history.

OpenSSL version 3.0.7 is now available to download and brings fixes for two security vulnerabilities, tracked as CVE-2022-3786 and CVE-2022-3602, which have now been downgraded from the highest ‘critical’ severity to high’.

CVE-2022-3602 was originally the critical-severity flaw, a four-byte stack buffer overflow that could have been triggered in the name constraint checking process involved in X.509 certificate verification. Theoreticslly, successful exploitation could have led to a crash or remote code execution (RCE).

Attackers could have achieved this by crafting a malicious email address to overflow the four attacker-controlled bytes on the stack, causing a buffer overflow, OpenSSL said in an advisory.

This could only occur after certificate chain signature verification, it added, and would require either a certificate authority to have signed the malicious certificate or for the application to continue verifying even a path could not be constructed to a trusted issuer. 

OpenSSL said there were a number of mitigating factors that led to the decision to downgrade the severity rating. 

Considerations taken into account included the idea that many platforms deploy protections for such buffer overflows that would likely lead to the prevention of RCE, and sowas the thinking that the stack layout of any given platform may have further limited an exploit’s success.

Despite the severity downgrade, OpenSSL recommends all users of OpenSSL version 3 and above upgrade to the latest 3.0.7 version. 

“We are not aware of any working exploit that could lead to code execution, and we have no evidence of this issue being exploited as of the time of release of this advisory,” it said.

According to OpenSSL’s security policy, a vulnerability will only be assigned ‘critical’ status if RCE is likely in common situations.

“We no longer felt that this rating applied to CVE-2022-3602 and therefore it was downgraded on 1 November 2022 before being released to high,” said OpenSSL in a separate blog post.

“CVE-2022-3786 was not rated as critical from the outset, because only the length and not the content of the overwrite is attacker-controlled,” it added. “Exposure to remote code execution is not expected on any platforms.”

Related Resource

The big book of ZTNA security use cases

Know your ZTNA protection index

Whitepaper cover with bold blue header banner with title and image of man at a workstation with multiple screensFree Download

A security researcher, Viktor Dukhovni, discovered the second vulnerability, CVE-2022-3786, while researching CVE-2022-3602 which was discovered by ‘Polar Bear’.

It was another buffer overflow issue with X.509 certificate verification that could cause a crash resulting in a denial of service, but had no potential for RCE.

When the security issues were announced last week, the two flaws were not detailed to reduce the likelihood of cyber attackers being able to use the information to engineer working exploits before the patch could be released.

Comparisons between the vulnerability in OpenSSL 3.0 and Heartbleed, the only other critical vulnerability in the project, have since been rejected.

"In short: While this is a potential remote code execution vulnerability, the requirements to trigger the vulnerability are not trivial, and I do not see this as a 'Heartbleed Emergency'," said Dr Johannes Ullrich, dean of research at SANS Technology Institute. "Patch quickly as updated packages become available, but beyond this, no immediate action is needed."

OpenSSL users do not need to replace their TLS server certificates, the project’s representatives said. 

All OpenSSL 3.0 applications that verify X.509 certificates received from untrusted sources should be considered vulnerable, they added. All versions below 3.0 are unaffected.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022