![]() The Denial of Service (DoS) vulnerability stems from a pair of buffer overflows which can be triggered in name constraint checking when OpenSSL does X.509 certificate validation. At this time the vulnerability does not appear to reliably allow Remote Code Execution and is not known to be under attack. An attacker could send a maliciously crafted certificate to a client or server that parses certificates as part of authentication resulting in a crash. OpenSSL 3.0.7 addresses two vulnerabilities ( CVE-2022-3786 and CVE-2022-3602) that have Denial of Service impact for systems that perform certificate validation. OpenSSL version 3.0.7 became generally available on November 1st, 2022 and OpenSSL downgraded CVE-2022-3602 from critical to high severity rating. Customers are strongly encouraged to view the Security Update Guide to review any actions that they may need to take. ![]() As a best practice, customers that manage their own environments are encouraged to apply the latest security updates from OpenSSL. Any customer action that is required will be highlighted in this blog and our associated Security Update Guides ( CVE-2022-3786 Security Update Guide and CVE-2022-3602 Security Update Guide). As part of our standard processes, we are rolling out fixes for impacted services. Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |