OpenSSL 3.x Vulnerability: CVE-2022-3786 & CVE-2022-3602 FAQs and Resources

Discover up-to-date information, tools, and assistance to help you get a handle on the OpenSSL 3.x vulnerability

What is OpenSSL?

OpenSSL is the core open-source library that implements SSL and TLS protocols which makes it possible to securely communicate over the internet.

What is OpenSSL Vulnerability: CVE-2022-3786 & CVE-2022-3602 [High Severity]?

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Reported by Viktor Dukhovni.

Vulnerable Versions

OpenSSL versions 3.0 through 3.0.6 are vulnerable. The commonly deployed OpenSSL 1.1.1 is not vulnerable.

How Qualys can help

To help the security community during these challenging times, we are opening up free access to our industry-leading Enterprise TruRisk Platform that can help organizations inventory and scan all systems with vulnerable versions of OpenSSL. Our unified platform brings together Cybersecurity Asset Management, Vulnerability Management Detection & Response, Patch Management, Web Application Scanning, Container Security and Custom Assessment and Remediation. Free 30-day trial

Detect, Protect, and Response to OpenSSL vulnerabilities with the Enterprise TruRisk Platform

CyberSecurity Asset Management

Find and manage cybersecurity risks in IT assets. Qualys CSAM continuously inventories assets, applies business criticality and risk context, detects security gaps, and responds with appropriate actions to mitigate risk.

Learn more

Vulnerability Management Detection and Response

Quantify risk across vulnerabilities, assets, and groups of assets to help your organization proactively mitigate risk exposure and track risk reduction over time.

Learn more

Patch Management

Streamline and accelerate vulnerability remediation for all your IT assets. Qualys Patch Management automatically correlates vulnerabilities to patch deployments so you can remediate quickly, proactively, and consistently.

Learn more

Web Application Scanning

Leverage Qualys WAS for continuous detection of vulnerabilities and misconfigurations, using automated scanning and testing of all your web apps and APIs.

Learn more

Custom Assessment and Remediation

Qualys CAR allows security practitioners to quickly create and execute custom scripts and controls to directly remediate and improve the security posture of any system or application

Learn more

Enterprise TruRisk Platform Status

We are continuously monitoring all our environments for any indication of active threats and exploits. With these measures, we are confident that necessary mitigations and remediation are in place to block and prevent any exploits of OpenSSL and there is no impact on Qualys scanners, Cloud Agent, systems or customer data. We will continue to monitor our environment around the clock and implement additional measures as required.