OpenSSL originally warned this patch would fix a critical vulnerability impacting all OpenSSL 3.0 installations.

OpenSSL has released a patch fixing the headline-making vulnerability it first announced on October 27th, 2022.  

Experts first categorized this as a critical-level vulnerability comparable to the Heartbleed bug almost a decade prior. Upon release, OpenSSL announced that it actually patched two separate high-severity vulnerabilities. 

These security flaws now have CVE numbers and can be tracked by threat intelligence services: 

• CVE-2022-3602 exploits OpenSSL using a maliciously long email ID verified with an encryption X.509 certificate. It triggers a buffer overflow that forces the server or app to allow remote code execution if the certificate is validated.  
• CVE-2022-3786 also involves a buffer overflow that crashes the app or server after the certificate is signed. Attackers use a malicious email ID to overflow an arbitrary number of bytes and trigger a crash, which results in a denial of service. 

In both cases, one of two things must happen for the exploit to work: Either Certificate Authorities sign the malicious certificate or the app continues verification despite failing to reach a trusted issuer. 

Since the vulnerabilities cannot easily be exploited through common remote code execution scenarios, OpenSSL downgraded them from Critical to High severity. 

What Systems are Impacted? 

Only email-capable systems performing a specific type of certificate authentication running OpenSSL 3.0.0 and above are impacted. 

OpenSSL 3.0.0 was originally released in September 2021. That means systems that have implemented or upgraded OpenSSL since that date may be affected. This includes popular runtime environments like Node.js 18 and 19 and other third-party solutions that use OpenSSL. 

They rely on buffer overflows triggered by email servers running X.509 certificate verification. That means affected systems must be email servers, email security gateway applications, or email clients. Many platforms have their stack overflow protections that can mitigate these risks, but upgrading to the current patch is still recommended.

 Many Linux Operating System Distributions are Impacted 

Several dozen Linux distributions are known to use OpenSSL 3.0.0 and above. Systems that rely on these distributions have email capabilities and can likely be exploited using malicious x.509 certificates.  

The most popular distributions affected include RHEL 9.0, Ubuntu 22.04, and Fedora 36. A full list of affected Linux distributions is available here.

Does the OpenSSL Vulnerability Impact SSL Certificates?

The short answer is no. These vulnerabilities do not impact the issuance of SSL certificates nor their use. There is no need to revoke or reissue certificates based solely on these vulnerabilities. 

Address the OpenSSL Vulnerability Now 

Despite the severity downgrade, OpenSSL' newly reported vulnerabilities must still be addressed quickly. Security leaders need to identify what OpenSSL instances their organizations use, and patch those that are impacted.  

This will test the risk quantification strategy of many cybersecurity leaders and their teams. Executives increasingly call on CISOs and their teams to translate security processes into dollars. The better security leaders understand their tech stack, the easier it will be to justify cybersecurity investment in detection and response capabilities for incidents like this one.