On October 26, 2022, Wind River® became aware of a new vulnerability in Open SSL versions 3.0.0 to 3.0.6. On November 1st, 2022, The Open SSL Group announced two High Vulnerabilities CVE-2022-3786 and CVE 2022-3602. The OpenSSL Project has released version 3.0.7, available on November 1st to remediate these vulnerabilities. These High vulnerabilities are likely to be exploitable; examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely.
Wind River has examined our products and found the following products to contain the affected versions of Open SSL:
WRLINUX_10_22_LTS and WRLINUX_CI
We are diligently working to incorporate Open SSL 3.0.7 into our affected products directly and working with the upstream community.
Please visit our security center at windriver.com/security for ongoing updates to the Wind River product vulnerability status and
the security bulletin for detailed product updates and remediation plans at https://support2.windriver.com/index.php?page=security- notices&on=view&id=7919
Additional Resources
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog
Fix CVE-2022-3786 in punycode decoder. · openssl/openssl@c42165b · GitHub
Please access these additional Wind River resources for this and all vulnerabilities:
Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.
