#VU68896 Buffer overflow in OpenSSL


Published: 2022-11-02 | Updated: 2023-01-22

Vulnerability identifier: #VU68896

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3786

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing the email address field length inside a X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a buffer overflow and crash the application.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.6

CPE

External links
http://www.openssl.org/news/secadv/20221101.txt

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Aspera faspio Gateway
IBM AIX update for OpenSSL
Multiple vulnerabilities in Hitachi Energy PCU400
Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Multiple vulnerabilities in Hitachi Energy Lumada Asset Performance Management
SUSE update for openssl-3
Multiple vulnerabilities in several Siemens Products
Multiple vulnerabilities in IBM API Connect
Multiple vulnerabilities in Dell Command | Integration Suite for System Center
Multiple vulnerabilities in Dell Command | Intel vPro Out of Band