Important note! OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786 affect only version 3.0. and up. If you have a lower version, you won’t be affected at this time.
OpenSSL is a cryptography library that provides an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Attackers can exploit CVE-2022-3602 to trigger a denial of service via a buffer overflow through malicious email addresses, while attackers can exploit CVE-2022-3786 to trigger a crash or remote code execution.
The Netherlands’ National Cyber Security Centre has a list of software products confirmed to be (un)affected by OpenSSL vulnerability.
Redhat Enterprise Linux 9, Ubuntu 22.04+, CentOS Stream9, Kali 2022.3, Debian 12, and Fedora 36 include the latest OpenSSL versions.
Severity level: Both vulnerabilities are ranked high (as defined in OpenSSL.org) after a downgrade from critical.
How to find out if you’re vulnerable?
With CloudWize you automatically get your critical vulnerabilities as you open the Insights panel. So if you have the OpenSSL vulnerability, you’ll see it immediately. No need to push and no scripts are required. We’re pulling it for you.
Watch this one-minute video:
How to fix it?
To avoid hackers exploiting this vulnerability, you must immediately update to OpenSSL version 3.0.7.