In the last week of October 2022, OpenSSL Project revealed two vulnerabilities found in the OpenSSL library.
Patches for the two weaknesses found in OpenSSL v3.0.0 to v3.06 have now been released.
What Is OpenSSL?
The vulnerabilities are CVE-2022-3602 and CVE-2022-3786.
On October 25th, 2022, the news of the vulnerabilities hit the internet.
How Can an Attacker Exploit These Vulnerabilities?
An attacker can incorporatea phishing schemesuch as creating a fabricated email address to overflow four bytes on the stack.
CVE-2022-3786
This vulnerability is exploited just like CVE-2022-3602.
character (decimal 46).
However, in CVE-2022-3602, only four bytes controlled by the attacker are exploited.
Whats the Fix?
In todays cyber-security-aware world, many platforms implement stack overflow protections to keep attackers at bay.
This provides necessary mitigation against buffer overflow.
Further mitigation against these vulnerabilities involves upgrading to the latest released version of OpenSSL.
As OpenSSL v3.0.0 to v3.0.6 is vulnerable, it is recommended that you upgrade to OpenSSL v3.0.7.
Thanks to the security updates released by OpenSSL in time, you dont need to worry about these vulnerabilities.
