/nov 1, 2022

What You Need to Know About OpenSSL-3.0.7

By The Veracode Research Team

OpenSSL released version 3.0.7 with security fixes for High Severity vulnerabilities CVE-2022-3786 & CVE-2022-3602 discussed here. Here's how to know if you're affected and what to do if you are.

Am I affected?

At this moment it seems that OpenSSL versions between 3.0.0 and 3.0.6 and applications using the OpenSSL library within the affected versions are vulnerable.

OpenSSL 3.x was released just about one year ago: OpenSSL 3.0 Has Been Released! - OpenSSL Blog; container images, distributions and software released before this date are unlikely to be affected.

OpenSSL can be installed through a package manager that install it in well-known locations and configure it at system level, or it can be downloaded on the system as a compiled binary or even compiled locally from source code. These different approaches don’t allow to list all possible ways to detect the versions of OpenSSL installed on the system.

LibreSSL is not affected by this vulnerability (oss-security - Re: Forthcoming OpenSSL Releases).

BoringSSL, not affected.

These documents list the known software that are confirmed to be affected and not affected:

Upcoming Critical OpenSSL Vulnerability: What will be Affected? - SANS Internet Storm Center

OpenSSL-2022/README.md at main · NCSC-NL/OpenSSL-2022

openssl-vuln-nov-2022/list.csv at main · pblumo/openssl-vuln-nov-2022

Remediation

Proper vulnerability management relies on preparing an inventory of components present in your environment and modules that compose your applications. This case is no different. Being aware of the vulnerable assets will help speed up the remediation once the remediated version of the library is available.

As suggested by OpenSSL security team on their blog post, please update to latest version 3.0.7 or obtain an updated copy from your operating system vendor or third party provider.

How Veracode helps you to address this problem:

If you have bundled OpenSSL in your applications, our Software Composition Analysis (SCA) product can help you quickly verify whether an application portfolio that you’re scanning with us is affected.

To verify whether your applications are using vulnerable versions of OpenSSL, log in to the Veracode Platform. Check versions of OpenSSL that are dependencies of your applications by following these guides: https://docs.veracode.com/r/c_SCA_comps 

References

  1. Forthcoming OpenSSL Releases

  2. OpenSSL-2022/README.md at main · NCSC-NL/OpenSSL-2022

  3. openssl-vuln-nov-2022/list.csv at main · pblumo/openssl-vuln-nov-2022

  4. https://www.paloaltonetworks.com/blog/prisma-cloud/prepare-openssl-vulnerability/

  5. Effectively Preparing for the OpenSSL 3.x Vulnerability

  6. Upcoming Critical OpenSSL Vulnerability: What will be Affected? - SANS Internet Storm Center

  7. CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog

  8. https://www.openssl.org/news/secadv/20221101.txt

 

Related Posts

By The Veracode Research Team