Wind River Support Network

HomeSafety and Security NoticesWind River Security Alert: Open SSL 3.0.X Critical Vulnerability
Mandatory

Wind River Security Alert: Open SSL 3.0.X Critical Vulnerability

Released: Oct 27, 2022     Updated: Nov 1, 2022

Summary

On October 26, 2022, Wind River® became aware of a new vulnerability in Open SSL versions 3.0.0 to 3.0.6. On November 1st, 2022, The Open SSL Group announced two High Vulnerabilities CVE-2022-3786 and CVE 2022-3602. The OpenSSL Project has released version 3.0.7, available on November 1st to remediate these vulnerabilities. These High vulnerabilities are likely to be exploitable; examples include ​significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely.


Affected Product Versions

Products

Description

Affected Products

Wind River has examined our products and found the following products to contain the affected versions of Open SSL:

  • VxWorks 22.09
  • WRLINUX_10_22_LTS and WRLINUX_CI


    We are diligently working to incorporate Open SSL 3.0.7 into our affected products directly and working with the upstream community.

Please visit our security center at windriver.com/security for ongoing updates to the Wind River product vulnerability status and

the security bulletin for detailed product updates and remediation plans at https://support2.windriver.com/index.php?page=security- notices&on=view&id=7919

Additional Resources


CVE-2022-3786

CVE 2022-3602

CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog

Fix CVE-2022-3786 in punycode decoder. · openssl/openssl@c42165b · GitHub


Please access these additional Wind River resources for this and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.


Live chat
Online