OpenSSL Patches are Out: What You Must Know!

Diving in details

• CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to RCE.
• CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial of service state via a buffer overflow.

Warning and patch update

• As per the company’s policy, IT administrators of several organizations were warned as early as October 25 to search their environments for the Open SSL security vulnerabilities. It also prepared them for patching when OpenSSL 3.0.7 was all set to be released.
• As OpenSSL is much widely used, and this security vulnerability is enormous, there is an urgency to patch and update systems. The OpenSSL team considers them to be significant vulnerabilities, and affected users are encouraged to upgrade at the earliest.

What is OpenSSL?

• OpenSSL is a commonly used code library designed to allow secured communication over the internet.
• Whenever we browse the internet, the website we browse or the online service we access utilizes OpenSSL at its very basic level.

Additional information

• OpenSSL provides mitigation measures requiring admins operating TLS servers to disable TLS client authentication until the patches are applied.
• The initial warning prompted administrators to take immediate action to mitigate the flaw. The actual impact is much more limited given that CVE-2022-3602 has been downgraded to high severity and only impacts OpenSSL 3.0 and upgraded versions.

Recorded instances

• Shodan scan revealed approximately 16,000 publicly accessible OpenSSL instances.
• Wiz.io, a cloud security firm, reported that only 1.5% of all OpenSSL instances were impacted across major cloud environments such as AWS, GCP, Azure, OCI, and Alibaba.
• The National Cyber Security Centre of the Netherlands maintains a list of software products that have been confirmed to be unaffected by this OpenSSL vulnerability.
• According to cybersecurity firm Akamai, the most recent OpenSSL versions are included in multiple popular Linux distributions such as Red Hat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12, and Fedora 36 as vulnerable.