CVE-2022-3602 and CVE-2022-3786
CVE-2022-3602 and CVE-2022-3786
Categories:
Solution Number:
S36916
Last Modified:
2022-11-04
Description
Issue
OpenSSL now has a new and critical vulnerabilities: CVE-2022-3786 and CVE-2022-3602 affecting certain OpenSSL3 releases with the following vulnerability descriptions:
"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking", meaning it is happening during the authentication phase, and can be triggered on both TLS client and server. Both vulnerabilities occur after the certificate chain signature verification, and it "requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer." The potential impact of CVE-2022-3786 is a denial-of-service (DoS) attack. It is critical, but is just a precursor to CVE-2022-3602 which can be even more severe and lead to remote code execution.
NIST Vulnerability links: CVE-2022-3786 and CVE-2021-3602. Are NPM Products affected by these vulnerabilities?
"A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking", meaning it is happening during the authentication phase, and can be triggered on both TLS client and server. Both vulnerabilities occur after the certificate chain signature verification, and it "requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer." The potential impact of CVE-2022-3786 is a denial-of-service (DoS) attack. It is critical, but is just a precursor to CVE-2022-3602 which can be even more severe and lead to remote code execution.
NIST Vulnerability links: CVE-2022-3786 and CVE-2021-3602. Are NPM Products affected by these vulnerabilities?
Solution
Our NPM Products do not use OpenSSL versions 3.x. They are based on OpenSSL 1.1.1 which is not affected by this issue.
Duplicate?
N
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case