OpenSSL version 3.0.7 is now available and should be applied as soon as possible, the developers say.
OpenSSL version 3.0.7 was announced last week as an important security fix. The vulnerabilities patched with this release are CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow).
The vulnerabilities are limited-circumstance, client-side overflows that are mitigated by the stack layout of most modern platforms. Both were rated as high-risk and can be patched through the new release.
With OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x.x versions are not nearly as widespread. Prior to the release of the patch, the CVE-2022-3602 vulnerability was designated as critical.
What prompted the change
The OpenSSL Security Team described the new release in a blog post on 1 November 2022. They note that CVE-2022-3602 was originally assessed as a critical vulnerability by the OpenSSL project as it’s an arbitrary 4-byte stack buffer overflow. Such vulnerabilities can often lead to remote code execution (RCE).
However, during the past week, several organisations performed tests and gave the team feedback on the issue. That feedback showed that the stack layout of certain Linux distributions caused the overflow to overwrite an adjacent buffer that was yet to be used. As a result, the vulnerability was unable to cause a crash or permit remote code execution.
In addition, the project team noted that many modern platforms implement stack overflow protections which mitigate the risk of remote code execution and usually lead to a crash instead. Based on that feedback, the OpenSSL team downgraded the threat from critical to high. It should also be noted that the second vulnerability (CVE-2022-3602) was never rated as critical, and has always been considered high-risk.
No abuse in the wild
The OpenSSL Security Team also commented on the frequency of these vulnerabilities being exploited in the wild. “We are not aware of any working exploit that could lead to remote code execution”, they wrote, “and we have no evidence of these issues being exploited as of the time of the release of this post.”