Two vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in the OpenSSL open-source cryptographic library have been fixed by the OpenSSL Project. The vulnerabilities affect version 3.0.0 and later and have been fixed in OpenSSL version 3.0.7. There is currently no known working proof-of-concept that exploits these vulnerabilities. CVE-2022-3602 is a stack buffer overflow initially rated critical in severity for potential remote code execution but has since been downgraded to high severity. CVE-2022-3786 is also a buffer overflow that could lead to a potential denial of service.
According to data from Censys, only around 7,000 of over 1,793,000 public-facing servers running OpenSSL were found to be running vulnerable versions of the library. Cloud security firm Wiz.io also said that only 1.5% of OpenSSL versions running on various cloud services were running OpenSSL 3.0.0+.
Patches have been released by most of the major Linux distributions. While the severity of one of the vulnerabilities was downgraded, both are still rated as high severity. Organizations should apply the OpenSSL patch via standard system package update systems such as apt, yum, rpm, dnf, and pacman.
The Netherlands’ National Cyber Security Centre has created a useful resource for system administrators to determine if the operating systems or software they manage are vulnerable and if a patch has been released. This resource contains vendor reference documents as well: https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md