Manuals+

Security Bulletin

SecB0006: CVE-2022-3786 AND CVE-2022-3602

Open SSL Vulnerability

Summary

First published: November 16, 2022

Description: An advisory regarding a buffer overflow vulnerability in SSL ver 3.0.7 has been identified and published. In both CVEs, a buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

Affected Products: N/A

Recommended Action: Enable firewall protection

CVSS v3.X Base Score: 7.5 High

CVE ID:

Description

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a Certificate Authority (CA) to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the '.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Recommended Action

Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible. If you obtain your copy of OpenSSL from your Operating System vendor or other third party, then you should seek to obtain an updated version from them as soon as possible.

Appendix: About CVSS

All CVSS scores can be mapped to the qualitative ratings defined by the Qualitative Severity Rating Scale table (see below):

Rating CVSS Score
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments. The Base group is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. On the other hand, the Impact metrics reflect the direct consequence of a successful exploit and represent the consequence to the thing that suffers the impact, which we refer to formally as the impacted component.

The CVSS v3.0 vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.

For more information, visit the CVSS website at: http://www.first.org/cvss/

PDF preview unavailable. Download the PDF instead.

SecB0006 Security Bulletin Microsoft: Print To PDF

Related Documents

Preview Security Bulletin: CVE-2020-25694, 25695, 25696 - Delta Controls
Details a critical security vulnerability (CVE-2020-25694, 25695, 25696) affecting PostgreSQL versions prior to 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24, impacting enteliSYNC. Provides recommended actions and mitigation strategies for Delta Controls products.
Preview Security Bulletin SecB0013: CVE-2024-21147 - enteliWEB Vulnerability Update
Delta Controls provides a security bulletin regarding CVE-2024-21147, a high-severity vulnerability affecting Oracle Java and compatible distributions. Details the impact on enteliWEB and planned remediation.
Preview Delta Controls Niagara Security Bulletin: CVE-2023-4863 Vulnerability Update
Delta Controls issues Security Bulletin SecB0009 for Niagara Framework and Niagara Enterprise Security, addressing a critical vulnerability (CVE-2023-4863) in the libwebp component used by jxBrowser. Details recommended updates to Niagara Framework 4.10u7 and 4.13u2 to mitigate risks.
Preview enteliWEB v4.0 Deployment Planning Guide | Delta Controls
This Deployment Planning Guide for enteliWEB v4.0 by Delta Controls provides essential information for planning system deployments. It covers site sizing, hardware and software requirements for physical servers and virtual machines, installation guidelines including services and network ports, comprehensive security features, licensing, email configuration, bandwidth considerations, browser compatibility, IIS settings, and troubleshooting procedures.
Preview enteliWEB Network Hardening Guide
This guide provides essential information for planning and implementing robust security best practices for enteliWEB installations, covering critical areas such as password management, user permissions, server security, and network hardening.
Preview Delta Controls enteliWEB Case Study: Brooke Army Medical Center Infection Control
This case study details how Delta Controls' enteliWEB system was implemented at Brooke Army Medical Center (BAMC) to enhance infection control, environmental monitoring, and operational efficiency, improving patient safety and facility management.
Preview Pioneering Smart Building Automation in Healthcare | Delta Controls White Paper
Delta Controls offers advanced Building Automation Systems (BAS) for healthcare, enhancing patient care, operational efficiency, and sustainability. This white paper details solutions and case studies from leading healthcare facilities.
Preview Delta Controls e301 enteliWEB Fundamentals Course Description
Detailed course description for Delta Controls' e301 enteliWEB Fundamentals training. Covers course objectives, logistics, prerequisites, and topics including enteliWEB software, object management, alarms, and user administration.