OpenSSL Releases Security Update - November 1, 2022

Original release date: November 01, 2022

OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.

Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyberthreat actor leveraging CVE-2022-3786, "can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buff er overflow could result in a crash (causing a denial of service) or potentially remote code execution," allowing them to take control of an affected system.

CISA encourages users and administrators to review the OpenSSL advisory , blog, OpenSSL 3.0.7announcement, and upgrade to OpenSSL 3.0.7. For additional information on aff ected products, see the 2022 OpenSSL vulnerability - CVE-2022-3602 GitHub repository , jointly maintained by the Netherland'sNational Cyber Security Centrum (NCSC-NL) and CISA.

View detailed report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272