Alert Logic is researching vulnerabilities affecting OpenSSL 3.x – CVE-2022-3786 and CVE-2022-3602. Malicious attackers are able to overflow four attacker-controlled bytes on the OpenSSL stack, which may result in a denial of service or even remote code execution.
Who is affected?
All customers running OpenSSL versions 3.0.0 through 3.0.6 are affected. Customers running OpenSSL versions 1.1.1 and 1.0.2 are not affected by this vulnerability. OpenSSL 3.x was released in September 2021 and is likely only installed on systems running the latest versions of common Linux distributions such as Ubuntu 22.04 and Fedora 36.
Furthermore, according to the OpenSSL Advisory, "any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable. This includes TLS clients and TLS servers that are configured to use TLS client authentication."
What can I do?
Alert Logic recommends upgrading to OpenSSL version 3.0.7 to patch this vulnerability.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities. Alert Logic appliances and infrastructure are not affected by this vulnerability.
Network IDS: Alert Logic has released IDS telemetry signatures to aid in detection research.
Vulnerability Scanning: Alert Logic has released authenticated scans based on version mapping detection.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
11/02/2022: IDS telemetry signatures have been released to aid in detection research.
11/02/2022: Authenticated scans have been released based on version mapping detection.