Wind River Security Vulnerability Notice: CVE-2022-3602 and CVE-2022-3786 of openssl
Openssl will release new update on 2021/11/01, it will fix two "High" severity issues. These issues effect on OpenSSL versions 3.0.0 to 3.0.6:
CVE-2022-3786:
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Users are encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to these issues.
OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
OpenSSL 1.1.1 and 1.0.2 are not affected by these issues.
WRLINUX_22_LTS and WRLINUX_CI are affected on it, all earlier releases have no this issue.
Wind River will continue to monitor the various Open Source projects and will incorporate fixes as appropriate to supported products.
Upstream mitigation as below:
CVE-2022-3602:
https://github.com/openssl/openssl/commit/f0f530216bf93e9cdc9c2c9e3c095229d216da15
https://github.com/openssl/openssl/commit/fe3b639dc19b325846f4f6801f2f4604f56e3de3
https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a
https://www.openssl.org/news/vulnerabilities.html
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
