Overview
OpenSSL, a very widely used software library in a range of commercial and internal applications, has been reported as having two serious security flaws that could expose computer systems to attacks.
Software developers, OpenSSL Project, has released version 3.0.7. to fix these security flaws.
OCSIA recommends that Users of OpenSSL check their software version as soon as possible to see whether there could be vulnerability and to update to the latest version. If you are unsure whether your organisation uses OpenSSL, it is strongly recommended that you check with your I.T. team or I.T. service provider.
Detail
What is OpenSSL? It is an open-source, cryptographic, software-library commonly used by internet servers and the majority of HTTPS websites to encrypt communication channels and HTTPS connections. SSL stands for Secure Sockets Layer, a cryptographic communications protocol.
The two flaws could be exploited to create a denial-of-service (DOS) attack by crashing systems and therefore denying their use. These flaws could possibly also allow remote code execution where an attacker could remotely effect commands or code of the attacker's choice on a target machine
The buffer overflow vulnerabilities, CVE-2022-3786 and CVE-2022-3602, can affect OpenSSL versions from 3.0.0. up to 3.0.6. (with the exception of 3.0.7). OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected. However, any OpenSSL 3.0 application that verifies X.509 certificates received from untrusted sources should be considered vulnerable.
The overflows can be triggered in X.509 certificate verification, specifically in name constraint checking.
CVE-2022-3602 was initially categorised as ‘Critical’ as the vulnerability could lead to remote code execution. It is now considered that remote code execution is less likely than initially thought but this is still a possibility partly dependent on implementation of stack overflow protections on User platforms. A system could instead crash where such protections exist therefore presenting a denial-of-service risk.
No known exploits of these vulnerabilities have yet been identified.
Recommended Action
- Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third-party then you should seek to obtain an updated version from them as soon as possible.
- If patching cannot be applied immediately, Users of TLS servers should consider disabling TLS client authentication.
- For further details, please refer to the OpenSSL vulnerabilities website and OpenSSL Security blog
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.