OpenSSL is a free software project based on SSLeay.
Information was released about the release of a corrective version of the crypto library OpenSSL 3.0.7, which fixes two vulnerabilitiesas which and why this corrective version was released is by buffer overflow exploited when validating X.509 certificates.
It is worth mentioning that both problems are caused by a buffer overflow in the code to validate the email address field in X.509 certificates and could cause code execution when processing a specially crafted certificate.
At the time of the release of the fix, the OpenSSL developers had not reported the existence of a functional exploit that could lead to the execution of the attacker's code.
There is a case where the servers could be exploited via TLS client authentication, which can bypass CA signing requirements, since client certificates are generally not required to be signed by a trusted CA. Since client authentication is rare and most servers don't have it enabled, exploiting the server should be low risk.
The attackers could exploit this vulnerability by directing the client to a malicious TLS server which uses a specially crafted certificate to trigger the vulnerability.
Although the pre-release announcement for the new release mentioned a critical issue, in fact, in the released update, the vulnerability status was downgraded to Dangerous, but not Critical.
According to the rules adopted in the project, the severity level is lowered in case of a problem in atypical configurations or in case of a low probability of exploiting a vulnerability in practice. In this case, the severity level has been lowered, as exploitation of the vulnerability is blocked by the stack overflow protection mechanisms used on many platforms.
Previous announcements of CVE-2022-3602 described this issue as CRITICAL. Additional analysis based on some of the mitigating factors outlined above has led to this being downgraded to HIGH.
Users are still encouraged to update to a new version as soon as possible. On a TLS client, this can be triggered by connecting to a malicious server. On a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. OpenSSL versions 3.0.0 through 3.0.6 are vulnerable to this issue. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
of the problems identified the following is mentioned:
CVE-2022-3602- Initially reported as critical, a vulnerability causes a 4-byte buffer overflow when verifying a specially crafted email address field in an X.509 certificate. On a TLS client, the vulnerability can be exploited by connecting to a server controlled by the attacker. On a TLS server, the vulnerability can be exploited if client authentication using certificates is used. In this case, the vulnerability manifests itself in the stage after the verification of the chain of trust associated with the certificate, that is, the attack requires the certification authority to validate the attacker's malicious certificate.
CVE-2022-3786: It is another vector of exploitation of the vulnerability CVE-2022-3602 identified during the analysis of the problem. The differences boil down to the possibility of overflowing the stack buffer by an arbitrary number of bytes. containing the "." character. The issue can be used to cause an app to crash.
The vulnerabilities appear only in the OpenSSL 3.0.x branch, OpenSSL versions 1.1.1, as well as the LibreSSL and BoringSSL libraries derived from OpenSSL, are not affected by the problem. At the same time, an update to OpenSSL 1.1.1s was released, containing only non-security bug fixes.
The OpenSSL 3.0 branch is used by distributions like Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ​​Debian Testing/Unstable. Users of these systems are recommended to install updates as soon as possible (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch).
In SUSE Linux Enterprise 15 SP4 and openSUSE Leap 15.4, packages with OpenSSL 3.0 are available as an option, system packages use the 1.1.1 branch. Debian 11, Arch Linux, Void Linux, Ubuntu 20.04, Slackware, ALT Linux, RHEL 8, OpenWrt, Alpine Linux 3.16, and FreeBSD remain in the OpenSSL 1.x branches.
Finally if you are interested in knowing more about it, you can check the details in the following link