We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityEngineeringOpen SourceVulnerabilities

Update: OpenSSL high severity vulnerabilities

Vandana VermaNovember 2, 2022

OpenSSL has released two high severity vulnerabilities — CVE-2022-3602 and CVE-2022-3786 — related to buffer overrun. OpenSSL initially rated CVE-2022-3602 as critical, but upon further investigation, it was reduced to high severity.

What is Buffer overrun?

A buffer overrun/overflow is a specific type of runtime issue that allows a program to write past the end of a buffer or array and corrupt nearby memory — hence the name overflow. A buffer overflow does not appear during every program execution, like most issues do. Instead, specific conditions, such as unexpected user input, are required to activate the vulnerability.

Both of the high severity vulnerabilities are exploited by name constraint checking during X.509 certificate verification.

  • X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
  • X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

The vulnerability can be triggered in a TLS client by connecting to a rogue server. It could also be triggered on a TLS server if a malicious client joins when the server requests client authentication.

OpenSSL version 3.0.7 was released as an open source toolkit for SSL/TLS. Any OpenSSL 3.0 program should be regarded as insecure and exploitable by attackers if it checks X.509 certificates obtained from unreliable sources. 

TLS client authentication should be disabled on clients and servers until the upgrade has been applied.

Affected Versions 

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

Unaffected versions

  • 1.1.1
  • 1.1.0
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.x
  • fips

Impact

  • Denial of Service 
  • Remote Code Execution

How can Snyk Help?

Snyk Open Source

Now that the vulnerability details have been made available, Snyk Open Source projects will flag the vulnerability in their next retest. For projects configured for daily testing, that will happen within the next 24 hours. Clients can, of course, manually trigger retests on critical projects to see these results sooner.

You can also scan open source codewithin the Snyk CLI using the `snyk test` command.

Snyk Container

When an advisory like the OpenSSL CVE is issued, each Linux distro maintainer then has to triage and issue their own advisory. It’s this distro advisory that triggers the detections in Snyk Container. This means there will likely be some lag between the OpenSSL advisory and the first Snyk Container detections, based on how quickly the Linux distro maintainers release their advisories. Learn more about how this process works with our post on simplifying container security.

Once that happens, you’ll see these detections flagged in Snyk Container test results. For both Snyk Open Source and Snyk Container, you’ll see results in reporting up to 9 hours after the above conditions are met due to existing data latency. This latency may be shorter when using the beta reporting to view issues.

Recommendations 

  • OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
  • Stack overflow protections

Update on the data for Ubuntu advisories in Snyk VulnDB

  • https://security.snyk.io/vuln/SNYK-UBUNTU2210-OPENSSL-3092607 (CVE-2022-3602)
  • https://security.snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-3092568 (CVE-2022-3786)
  • https://security.snyk.io/vuln/SNYK-UBUNTU2210-OPENSSL-3092584 (CVE-2022-3786)
  • https://security.snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-3092591 (CVE-2022-3602)

References

  • https://www.openssl.org/news/vulnerabilities.html
  • https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-3090874 (CVE-2022-3602)  https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-3092519 (CVE-2022-3786)
  • https://cve.org/CVERecord?id=CVE-2022-3786
  • https://cve.org/CVERecord?id=CVE-2022-3602 
  • https://www.openssl.org/news/secadv/20221101.txt  https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html 
  • https://distrowatch.com/search.php?pkg=openssl&relation=similar&pkgver=3.&distrorange=InAny#pkgsearch 
  • https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/ 

Protect your applications for free

Create a Snyk account today to find and fix vulnerabilities in your code, dependencies, containers, and cloud infrastructure.

Sign up for free

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom