While there are no public cases of Java™-affected attacks, big companies take these risks very seriously. Nobody really knows how many successful attacks went unnoticed. A list of organizations falling victim to these exploits includes Canadian tax agency 3, UK parenting site 4, the large USA hospital chain 5 and even Yahoo mail 6 - and these are just some cases that were actually discovered. OpenJDK distributions, including Liberica JDK, use their own implementation of TLS and therefore are not affected. The OpenSSL package for Alpaquita Linux has also been updated, the patched version can be found in Alpaquita’s repositories. As far as Alpine Linux is concerned, the patch is already available. Also, Amazon Linux 1 and Amazon Linux 2 don’t ship with OpenSSL 3.0, so no patch is required. If you are using BellSoft’s containers based on Liberica JDK and these distributions, you don’t have to worry because our containers do not include this library by default. This is also the case with operating systems with OpenSSL installed (Ubuntu 22.04, CentOS Stream 9, Alpine Edge, etc.). If the library is bundled with the third-party software you are using, you should update the software as soon as the patch becomes available. Library versions 1.1.1 and 1.0.2 are not affected by the issue. In the case of CVE-2022-3786, you can temporarily disable the verification of client certificates. If you are using OpenSSL 3.0, you should upgrade to the newest library version as soon as possible: this is the only way to deal with CVE-2022-3602. ![]() The CVEs exploitation may lead to denial of service (DoS) or remote code execution (RCE).īoth CVEs can be triggered if a vulnerable TLS client connects to a malicious server or a vulnerable TLS server requests client authentication and a malicious client connects. ![]() In the case of the second vulnerability, X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786), a buffer overflow can be caused by a malicious email address abusing an arbitrary number of bytes containing the “.” character (decimal 46) on the stack. With the first one, X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), a specifically crafted email address can overflow four attacker-controlled bytes on the stack. ![]() Both can be triggered during a client or server's validation of an X.509 certificate. Both were assigned a High severity level. The OpenSSL Project released a Security Advisory on November 1, 2022, concerning two critical vulnerabilities discovered in the OpenSSL library versions 3.0.0 to 3.0.6. And we can assume that this percentage is bound to increase if we take into account less popular (and likely less protected) servers. At the time of writing, in May 2021, about 4% of 150.000 most popular sites still supported SSL 3.0 or lower and were vulnerable to attack 2. The “Man In The Middle” would force the client to employ the older SSL 3.0 protocol to communicate with the server and, as such, rely on the outdated cryptographic method - cipher block-chaining (CBC).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |