Wind River Support Network

HomeSafety and Security NoticesWind River Security Vulnerability Notice: CVE-2022-3602 CVE-2022-3786
Recommended

Wind River Security Vulnerability Notice: CVE-2022-3602 CVE-2022-3786

Released: Nov 1, 2022     Updated: Nov 18, 2022

Summary

Wind River Security Vulnerability Notice: CVE-2022-3602 and CVE-2022-3786 of openssl


Affected Product Versions

Wind River Linux LTS 22, Wind River Linux CD

Downloads


CVEs


Description

Openssl will release new update on 2021/11/01, it will fix two "High" severity issues. These issues effect on OpenSSL versions 3.0.0 to 3.0.6:


CVE-2022-3786:

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

CVE-2022-3602:

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Users are encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.


OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to these issues.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by these issues.


What software is known to be affected by this CVE?

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.


Is Wind River Linux affected by this CVE issue?

WRLINUX_22_LTS and WRLINUX_CI are affected on it, all earlier releases have no this issue.


Affected software components:

openssl

Affected hardware:

This is a pure software issue.

Mitigation


Wind River will continue to monitor the various Open Source projects and will incorporate fixes as appropriate to supported products.

Upstream mitigation as below:

CVE-2022-3602:

https://github.com/openssl/openssl/commit/f0f530216bf93e9cdc9c2c9e3c095229d216da15

https://github.com/openssl/openssl/commit/fe3b639dc19b325846f4f6801f2f4604f56e3de3


CVE-2022-3786:

https://github.com/openssl/openssl/commit/c42165b5706e42f67ef8ef4c351a9a4c5d21639a


Additional References

https://www.openssl.org/news/vulnerabilities.html

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/



Changelog

  • 19/11/2022: Host patch of CI and LTS-22 in Studio 22.09
  • 02/11/2022: Hot patch of WRLinux_CI
  • 01/11/2022: Initial


Live chat
Online