Two vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in the OpenSSL open-source cryptographic library have been fixed by the OpenSSL Project. The vulnerabilities affect version 3.0.0 and later and have been fixed in OpenSSL version 3.0.7. There is currently no known working proof-of-concept that exploits these vulnerabilities. CVE-2022-3602 is a stack buffer overflow initially rated critical in severity for potential remote code execution but has since been downgraded to high severity. CVE-2022-3786 is also a buffer overflow that could lead to a potential denial of service.
According to data from Censys, only around 7,000 of over 1,793,000 public-facing servers running OpenSSL were found to be running vulnerable versions of the library. Cloud security firm Wiz.io also said that only 1.5% of OpenSSL versions running on various cloud services were running OpenSSL 3.0.0+.