ADVISORY: Patch OpenSSL 3.0.0 - 3.0.6 for buffer overflow vulnerability
Tuesday, November 1, 2022
Updated 11-1-2022
This message is intended for U-M IT staff who are responsible for university systems running OpenSSL 3.0.0 - 3.0.6.
This advisory updates information provided in the ITS Information Assurance Alert from 10-31-2022. Specifics about the vulnerability announced on 10-31-2022 have been released. Please note this vulnerability has changed from critical to high.
Summary
A buffer overflow vulnerability has been found in versions of OpenSSL 3.0.0 - 3.0.6. Systems running OpenSSL 3.0.0 - 3.0.6 should be updated to OpenSSL 3.0.7 as soon as possible after appropriate testing.
Problem
A buffer overflow vulnerability in OpenSSL 3.0.0 - 3.0.6 may leave systems running those versions of OpenSSL vulnerable to compromise including possible remote code execution (RCE). A patch for the vulnerability in OpenSSL 3.0.0 - 3.0.6 has been announced and should be applied asap after appropriate testing. This patch updates systems to OpenSSL 3.0.7.
Affected Versions
OpenSSL 3.0.0 - 3.0.6
Action Items
Check for installations of OpenSSL 3.0.0 - 3.0.6 on systems for which you are responsible. Test and apply the patch to OpenSSL 3.0.0 - 3.0.6 as soon as possible.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows (OpenSSL Blog, 11-1-2022)
- Second-ever OpenSSL critical vulnerability teased, 10 years after Heartbleed (IT Pro, 10/28/22)
- Prepare Now for Critical Flaw in OpenSSL, Security Experts Warn (Dark Reading, 10/27/22)
- Incoming OpenSSL critical fix: Organizations, users, get ready! (Help Net Security, 10/26/22
- OpenSSL Deems Vulnerability ‘Critical’, Will Publish Patch Tuesday (Security Boulevard, 10/31/22)
- Discovering the Critical OpenSSL Vulnerability with the CrowdStrike Falcon Platform (Crowdstrike Blog, 10/28/22)