High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786)
November 1, 2022 – Published on HelpNetSecurity
Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes (i.e., denial of service) or potentially remote code execution.
CVE-2022-3602, whose existence was preannounced by the OpenSSL Project team a week ago, has luckily turned out to be less dangerous than initially thought.
“Exploiting this vulnerability requires quite a bit of set up and a number of factors to fall into place before it could be leveraged. Organizations should perform analysis to see if they are impacted, although there are relatively limited affected systems, as the attack primarily impacts the client-side, not the server. Technologies like SCA (software composition analysis) tools can help organizations identify where these components are so they can create an inventory and then a plan for remediation based on risk,” commented Victor Wieczorek, VP of App Sec, Threat & Attack Simulation at GuidePoint Security.
Read More HERE.