OpenSSL Releases New Vulnerabilities in Version 3.0

Cybersecurity News

UPDATE:

OpenSSL downgraded the vulnerability from Critical to High. Two new High severity vulnerabilities were released. CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).

Check out the blog post on the OpenSSL site for more information:

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Be on the lookout for the OpenSSL patch to address the new Critical vulnerability they warned of last week. The info provided thus far was very vague so this hasn't been in the spotlight just yet, but after the release tomorrow (Nov 1st) 1300-1700 UTC it's sure to draw major media attention. That said, it would be good to have teams (vendors and internal IT/Security) on standby tomorrow to discuss the details of the patch and the potential impact/risk/exposure to your environment, as it is very likely this will need to be rolled out as soon as possible, meaning out-of-band maintenance windows from your normal patching schedule. Hopefully your asset and software inventories are all up-to-date so you can quickly review what systems are impacted and how they need to be patched.

After more information is released tomorrow, we will update our post.

Read the articles below for some additional information.

See the list of references below

Review these sources for more information

1. CheckPoint Blog https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/

2. ZDNET https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/

3. OpenSSL https://www.openssl.org/