Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched

OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched

Introduced in OpenSSL 3.0 in September 2021 and affecting all successive versions up to and including OpenSSL 3.0.6, the two recently patched vulnerabilities are caused by buffer overruns in X.509 certificate verification.

Both CVE-2022-3786 and CVE-2022-3602 describe two buffer overflow issues in an X.509 email address verification, leading to the possibility of a denial of service attack for the former, and of a remote code execution attack for the latter.

The vulnerabilities require either a CA to have signed the malicious certificate or the application to ignore a failed certificate validation, which makes an exploit unlikely, though. For this reason, CVE-2022-3602 severity was downgraded from "critical" to "high" after an initial assessment.

While downgrading CVE-2022-3602 reduced somewhat the impact of the announcement, it is still true that OpenSSL is a key component for the security of the Web and, as it became evident after Heartbleed was discovered in 2014, patching it is a major undertaking. In fact, a report by Internet intelligence company Shodan revealed that over 80,000 devices where still vulnerable to Heartbleed six years after its disclosure.

The initial classification of CVE-2022-3602 as critical caused many worries in the community, but, as Dan Lorenc, co-creator of the cryptographic signing provider Sygstore and co-founder of supply chain security startup Chainguard, remarked, the fact that during almost a decade this was the first critical vulnerability reinforces the idea that open source code is at least as secure as proprietary, closed source code.

This vulnerability will likely lead to many discussions around the perceived unsustainability and insecurity of open source, but the facts remain that major, well-funded vendors see bugs like this at a much higher rate. [...] We should instead focus on building secure software that has the tooling necessary to make remediation faster and more seamless by rooting it in secure by default measures.

Another reason for concern came from the early announcement of the vulnerabilities, one week in advance on the patch being available, which could have allowed attackers to look for ways to exploit them before the patch was released. This is in compliance with OpenSSL policy, aimed to provide a date for users to get ready to patch, though. Sonatype co-founder and CTO Brian Fox further explained to InfoQ that talking publicly about such issues has a beneficial effect:

I think it can only have helped to drive awareness which should lead to faster patching. In fact, in our recent State of the Software Supply Chain report, we have data that clearly indicates the more widely publicized a vulnerability is, the faster people respond.

Sentry head of open source Chad Whitacre brought the focus on the importance for companies to contribute to make open source projects financially viable:

A lot of companies have stepped up to the plate since [Heartbleed] to finance the community-supported open source projects we all depend on, but there are still a lot of companies sitting on the sidelines.

As a final remark, it is important to understand that the discovery of vulnerabilities will never end. As Fox summarizes it, "after you patch, prepare for the next vulnerability." The focus should be directed towards being able to respond and patch immediately.

Here you can find a list of affected distributions that will require a patch.

About the Author

Rate this Article