Service Advisory – OpenSSL Vulnerabilities (CVE-2022-3786 and CVE-2022-3602)

Service Advisory

Please share the following update with your teams.

OpenSSL disclosed two high severity vulnerabilities – CVE-2022-3602 (buffer overflow with potential for remote code execution) and CVE-2022-3786 (buffer overflow) that could affect common configurations of OpenSSL version 3.0+. Please review the information below to help determine if you maintain any systems that could be affected. It’s important that any vulnerable system upgrade to OpenSSL 3.0.7.

Note that this vulnerability was originally rated Critical and has been downgraded so out-of-cycle patching is not required.

Severity level
CVSS Score: High

Description
OpenSSL is the core open-source library that implements SSL and TLS protocols which makes it possible to securely communicate over the internet.

CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE), while CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.

Affected Versions
OpenSSL versions 3.0.0 to 3.0.6 (Older versions such as v1.0 and v1.1 are NOT affected)

Impact
Could result in a crash (causing a denial of service) or remote code execution.

Resolution
Upgrade to OpenSSL 3.0.7

Reference
https://www.bleepingcomputer.com/news/security/openssl-fixes-two-high-severity-vulnerabilities-what-you-need-to-know/
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://www.openssl.org/news/secadv/20221101.txt
https://www.trendmicro.com/en_za/research/22/j/openssl-critical-security-vulnerability-fix.html

We thank you for your continued support and understanding.

Contact
Client Services at askit@yorku.ca or 416 736 5800

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: York University, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web