OpenSSL, the open-source cryptography library widely used across the internet by servers and websites, had pre-announced an upcoming critically rated vulnerability patch to be released Nov. 1, 2022. The organization has now released the patch, while also downgrading one of the vulnerabilities it was tracking.
A blog posted by OpenSSL and a security advisory announced the vulnerabilities tracked as CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow).
OpenSSL states they downgraded CVE-2022-3602 from critical to high after feedback from several organizations that performed testing of the vulnerability. Specifically, OpenSSL indicated a vulnerability is critical if remote code execution is considered likely in common situations; since they are not aware of any working exploit that could lead to remote code execution, OpenSSL opted to downgrade the vulnerability to high.
Nuspire is not utilizing an affected version of OpenSSL.
Although CVE-2022-3602 has been downgraded, OpenSSL states this and CVE-2022-3678 are still serious vulnerabilities that should be addressed immediately. It’s important to remember OpenSSL is used widely, as SSL certificates are practically mandatory for any HTTPS website. By not acting quickly, you put your organization at risk.
Here’s what you can do to safeguard your organization:
Inventory your technologies and determine if any are utilizing OpenSSL 3.0 or higher.
If using OpenSSL 3.0.0-3.0.6, apply patches for these high severity vulnerabilities as soon as possible. Users of OpenSSL 1.1.1, 1.0.2 and earlier versions are not affected, as the vulnerabilities were introduced in version 3.0.0.