Safety Detectives
$ United States dollar
$ United States dollar Euro£ British poundAED UAE dirhamARS Argentine pesoAU$ Australian dollarBGN Bulgarian levR$ Brazilian realCA$ Canadian dollarCHF Swiss francCLP Chilean pesoCN¥ Chinese yuanCOP Colombian pesoCZK Czech korunaDKK Danish kroneEGP Egyptian poundHK$ Hong Kong dollarHUF Hungarian forintIDR Indonesian rupiah Israeli new shekelINR Indian rupee¥ Japanese yen South Korean wonMX$ Mexican pesoMYR Malaysian ringgitNOK Norwegian kroneNZ$ New Zealand dollarPLN Polish złotyRON Romanian leuRUB Russian rubleSAR Saudi riyalSEK Swedish kronaSGD Singapore dollar฿ Thai bahtTRY Turkish liraNT$ New Taiwan dollarUAH Ukrainian hryvnia Vietnamese DongZAR South African rand

OpenSSL Patches Two High-Severity Security Vulnerabilities

Colin Thierry
Colin Thierry
Colin Thierry Colin Thierry

The OpenSSL Project recently patched two high-severity security flaws in its open-source cryptographic library used to encrypt communication channels and HTTPS connections.

These vulnerabilities (CVE-2022-3602 and CVE-2022-3786) impact OpenSSL version 3.0.0 and later and were addressed in OpenSSL 3.0.7.

CVE-2022-3602 can be exploited to cause crashes or remote code execution (RCE), while CVE-2022-3786 can be utilized by threat actors through malicious email addresses to trigger a denial of service state.

“We still consider these issues to be serious vulnerabilities and affected users are encouraged to upgrade as soon as possible,” the OpenSSL team said in a statement on Tuesday.

“We are not aware of any working exploit that could lead to remote code execution, and we have no evidence of these issues being exploited as of the time of release of this post,” it added.

According to OpenSSL’s security policy, companies (like ExpressVPN) and IT admins were warned last week to search their environments for vulnerabilities and prepare to patch them once OpenSSL 3.0.7 was released.

“If you know in advance where you are using OpenSSL 3.0+ and how you are using it then when the advisory comes you’ll be able to quickly determine if or how you’re affected and what you need to patch,” said OpenSSL founder Mark J Cox in a Twitter post.

OpenSSL also provided mitigation measures requiring admins operating Transport Layer Security (TLS) servers to disable TLS client authentication until the patches were applied.

The impact of the vulnerabilities were much more limited than initially thought given that CVE-2022-3602 was downgraded from critical to high-severity and only impacts OpenSSL 3.0 and later instances.

Per cloud security firm Wiz.io, only 1.5% of all OpenSSL instances were found to be impacted by the security flaw after analyzing deployments across major cloud environments (including, AWS, GCP, Azure, OCI, and Alibaba Cloud).

The Netherlands’ National Cyber Security Centre also shared a list of software products confirmed to remain not impacted by the OpenSSL vulnerability.

About the Author
Colin Thierry
Colin Thierry
Writer

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.