OSG-SEC-2022-11-02 HIGH OpenSSL buffer overflows
Dear OSG Security Contacts,
Two buffer overflow vulnerabilities were found in the OpenSSL toolkit: X.509 Email Address Buffer Overflow (CVE-2022-3602) [9] and X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) [10]. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full strength general purpose cryptography library.
IMPACTED VERSIONS:
OpenSSL 3.0.0 - 3.0.6 (Older versions of OpenSSL are not affected.)
WHAT ARE THE VULNERABILITIES:
The two separate buffer overflow vulnerabilities were discovered in the OpenSSL toolkit. A buffer overrun can be triggered by sending an X.509 certificate with a specially crafted email address field to a vulnerable client or server. This can result in an overflow of four attacker-controlled bytes on the stack. This could result in a crash (causing a denial of service) or possibly result in remote code execution. [7][8]
WHAT YOU SHOULD DO:
Several newer releases of Linux distributions include the OpenSSL 3.0 packages: RHEL 9, Ubuntu 22.04, Ubuntu 22.10. Some distributions may also provide the packages as non-standard add-ons like RHEL 8 through EPEL (Extra Packages for Enterprise Linux). You'll want to first establish if any of your Linux systems are impacted. If they are, update their OpenSSL 3.0 packages with the latest available patched versions.
Sites running RHEL should see [1]
Sites running CentOS should also see [1]
Sites running Ubuntu should see [2]
Sites running Scientific Linux should see [3]
Sites running Debian should see [4]
Sites running RockyLinux should see [5]
Sites running Almalinux should see [6]
REFERENCES
[1] https://access.redhat.com/errata/RHSA-2022:7288
[2] https://ubuntu.com/security/notices/USN-5710-1
[3] https://www.scientificlinux.org/category/sl-errata/
[4] https://security-tracker.debian.org/tracker
[5] https://errata.rockylinux.org/
[6] https://errata.almalinux.org/
[7] https://bugzilla.redhat.com/show_bug.cgi?id=2137723
[8] https://bugzilla.redhat.com/show_bug.cgi?id=2139104
[9] https://access.redhat.com/security/cve/CVE-2022-3602
[10] https://access.redhat.com/security/cve/CVE-2022-3786
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team