UPDATE: OpenSSL Releases Security Patch, Downgrades Vulnerability from “Critical” to “High”

OpenSSL, the open-source cryptography library widely used across the internet by servers and websites, had pre-announced an upcoming critically rated vulnerability patch to be released Nov. 1, 2022. The organization has now released the patch, while also downgrading one of the vulnerabilities it was tracking.

Why was it downgraded?

A blog posted by OpenSSL and a security advisory announced the vulnerabilities tracked as CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow).

OpenSSL states they downgraded CVE-2022-3602 from critical to high after feedback from several organizations that performed testing of the vulnerability. Specifically, OpenSSL indicated a vulnerability is critical if remote code execution is considered likely in common situations; since they are not aware of any working exploit that could lead to remote code execution, OpenSSL opted to downgrade the vulnerability to high.

What is Nuspire doing?

Nuspire is not utilizing an affected version of OpenSSL.

What should I do?

Although CVE-2022-3602 has been downgraded, OpenSSL states this and CVE-2022-3678 are still serious vulnerabilities that should be addressed immediately. It’s important to remember OpenSSL is used widely, as SSL certificates are practically mandatory for any HTTPS website. By not acting quickly, you put your organization at risk.

Here’s what you can do to safeguard your organization:

Inventory your technologies and determine if any are utilizing OpenSSL 3.0 or higher.

If using OpenSSL 3.0.0-3.0.6, apply patches for these high severity vulnerabilities as soon as possible. Users of OpenSSL 1.1.1, 1.0.2 and earlier versions are not affected, as the vulnerabilities were introduced in version 3.0.0.