• English
  • Japanese

OpenSSL vulnerability (CVE-2022-3602)


CSIRT, Keio University
ITC, Keio University


Earlier today (November 2, 2022), a new version 3.0.7 of OpenSSL was released to address vulnerability CVE-2022-3602. The severity of this vulnerability was initially reported as "critical" and was somewhat sensationalized in news reporting; however, the severity has been changed to "high" following additional analysis.

The impact of this vulnerability can be broadly summarized as follows:

  • OpenSSL 1.x, currently used by many systems globally, is not impacted
  • Even in systems that are impacted, other OS protective measures may limit the impact
  • In a typical web server system, clients are believed to be more impacted than servers (servers which use client certificate authentication may also be impacted)
  • nformation about systems impacted by the vulnerability can be found at https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md

Based on this information, most systems will likely not be affected, but the following are some examples of affected software with many users:

  • RedHat Enterprise Linux 9
  • CentOS Stream 9
  • Ubuntu 22.04 LTS
  • Homebrew
  • SoftEther VPN

VMware Tools and other software packages are believed to be affected, but most likely not in a serious way. In addition, some individual systems may require OpenSSL 3, which is a separate OpenSSL 3 standard. However, it is possible that some individual systems require OpenSSL 3 functions and therefore install OpenSSL 3 separately from the built-in system components, so it is advisable to check the system's status using the above information to be sure.

[Note]

Last-Modified: November 2, 2022

The content ends at this position.