Spooky SSL Vulnerability

Spooky-SSL Vulnerability

A new high-severity security vulnerability "Email address Buffer overflows" was found in OpenSSL, a popular piece of software used to encrypt communication channels and HTTPS connections.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue. The OpenSSL Project has patched the flaws in its open-source cryptographic library and published them in version 3.0.7.


Details

The vulnerabilities (CVE-2022-3602 and CVE-2022-3786) affect OpenSSL version 3.0.0 and later and have been addressed in OpenSSL 3.0.7.

The risk was downgraded from Critical to High because while OpenSSL is popular the newer version 3 not as popular as the common 1.1 and 1.2 versions. Additionally it has been found that the buffer-overflow in the e-mail field vulnerability is not so easy to abuse. Users are still recommended to upgrade.

The Nationaal Cyber Security Centrum (NCSC-NL) has published more information on their Github page: https://github.com/NCSC-NL/OpenSSL-2022 about the details of the vulnerability and what software platforms and software is vulnerable.


What can you do?

Check in the Vulnerable Software list if you are using software of an operating system version that is vulnerable.  If you do use it and you offer TLS connections using it is a good idea to upgrade your OpenSSL version.

Note that amongst others Debian > v12 and Ubuntu > 20.04 are be vulnerable, as well as Docker images based on these operating systems:

  • Debian 12 (bookworm) and unstable
  • Ubuntu 22.04 and 22.10
  • RedHat Enterprise Linux 9
  • Alpine 3.15, 3.16 and edge
  • Node.js 18 and 19

For more information please read the OpenSSL Blog: CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog