Skip to main content

CVE-2022-3786 / CVE-2022-3602- OpenSSL 3.x Vulnerability Analysis

Issue

An OpenSSL vulnerability has been partially publicly disclosed regards OpenSSL >= 3.0.0. A new version of OpenSSL, 3.0.7, was released on Nov 1st addressing the relevant vulnerabilities. Armory has confirmed that Armory CDSH contains OpenSSL 1.1.1 in versions 2.26.5, 2.27.4, and 2.28.0, and is therefore not currently a part of the OpenSSL 3.x vulnerability. No action is required for Armory customers at this time. The OpenSSL Project has advised that a security fix for versions lower than 3.0.0 is unnecessary. Although a release for 1.1.1 is planned for release on Nov 1st (v1.1.1s), according to OpenSSL is not related to the critical CVE and has been announced as a bug fix. For more information on the OpenSSL 3.0.7 patch, please review the information provided in the following OpenSSL's blog: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ The following CVEs are addressed with the OpenSSL 3.0.7 patch:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602 Any potential issues regarding OpenSSL can be reduced or mitigated if Armory products are run in a closed network and not open to the internet. We recommend that customers check their Gate and Deck endpoints are not directly exposed to the internet and review their firewalls and security settings. We'll keep an eye on further information and update our customers as we discover more information. We are also on standby to publish a new release for Armory Products should it be necessary. Currently, Armory is monitoring for updates on the contents of the vulnerability and evaluating the situation. Updates will be forthcoming as more information is provided to us. An example of the information provided to security personnel around the world can be found below: https://www.darkreading.com/vulnerabilities-threats/prepare-critical-flaw-openssl-security-experts-warn https://blog.aquasec.com/openssl-vulnerability-2022 https://snyk.io/blog/new-openssl-critical-vulnerability/ Update (2022/11/01):

OpenSSL has published the following blog detailing the 3.0.7 vulnerability:https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/* The following CVEs were referenced:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602* Updated title to reflect reported CVE #s Update (2022/11/02):
Updated information to reflect the CVEs have published data on cve.mitre.org

Cause

None/Not Applicable at this time

Issue
Cause