Two critical vulnerabilities that were found in OpenSSL Project’s open-source cryptographic library have now been downgraded to high-severity. CVE-2022-3602 and CVE-2022-3786 affects OpenSSL version 3.0.0 and later. The flaws have been patched but could still be exploited by attackers.
CVE-2022-3602, an arbitrary 4-byte stack buffer overflow vulnerability, could trigger crashes or lead to remote code execution. CVE-2022-3786 is a vulnerability that could be exploited by attackers via malicious emails, allowing them to trigger a denial-of-service state via a buffer overflow.
OpenSSL stated that they are not aware of working exploits, and they did not have evidence of the vulnerabilities being exploited at the time of their advisory. The flaws have since been patched with the release OpenSSL 3.0.7 today. The patch comes on the heels of OpenSSL announcing that they would be releasing an update on November 1, 2022. According to Mark J. Cox, their policy is to provide people with a date for patches, then they will know to be ready to parse an advisory and see if the issue affects them.
“Given the number of changes in 3.0 and the lack of any other context information, such scouring is very highly unlikely.” – Mark J. Cox
However, the OpenSSL team stated that although the vulnerabilities have been downgraded, they still consider them to be serious. The reason why the vulnerabilities were downgraded from critical to high-severity is because they no longer believe the critical rating applied to CVE-2022-3602. OpenSSL’s policy states that “a vulnerability is rated critical if remote code execution is considered likely in common situations.”
CVE-2022-3602 was not rated critical from the beginning due to only the length and not the content of the overwrite being attacker controlled. OpenSSL 1.0.2, 1.1.1 and other earlier versions are not affected.
OpenSSL Recommends the following: