Take our free, no obligation risk assessment to find out which OpenSSL instances need to be upgraded to version 3.0.7. The Orca Cloud Security Platform can help you find affected packages in your AWS, Azure, Google Cloud and Alibaba Cloud environments. Nevertheless, Orca Security still recommends customers running the affected versions to upgrade to 3.0.7. In short, this vulnerability is much less critical than previously thought. With regards to the cloud instances that are still using older platforms, we expect these to be using the older version 1.1 of OpenSSL that is not affected by the CVE, as OpenSSL v.3 was just released in September 2021. Typically, cloud environments utilize modern operation systems with stack overflow protection mechanisms, so we expect the potential danger of CVE-2022-3602 in the cloud to be limited. Therefore the OpenSSL project team downgraded the vulnerability to a ‘high’ severity. When more details were published, it became apparent that this bug is unlikely to be exploitable on modern systems that implement stack overflow protections. The release includes fixes for two X.509 email address buffer overflow vulnerabilities, assigned with severity ‘high’: CVE-2022-3786 and CVE-2022-3602.ĬVE-2022-3602 was previously assigned the severity ‘critical’, since it was thought that it allowed remote code execution (RCE) in common configurations. The OpenSSL project team has now released version 3.0.7 and advises users of versions 3.0.0 – 3.06 to upgrade to 3.0.7 as soon as possible.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |