OpenSSL vulnerability (CVE-2022-3602)
ITC, Keio University
Earlier today (November 2, 2022), a new version 3.0.7 of OpenSSL was released to address vulnerability CVE-2022-3602. The severity of this vulnerability was initially reported as "critical" and was somewhat sensationalized in news reporting; however, the severity has been changed to "high" following additional analysis.
The impact of this vulnerability can be broadly summarized as follows:
- OpenSSL 1.x, currently used by many systems globally, is not impacted
- Even in systems that are impacted, other OS protective measures may limit the impact
- In a typical web server system, clients are believed to be more impacted than servers (servers which use client certificate authentication may also be impacted)
- nformation about systems impacted by the vulnerability can be found at https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md
Based on this information, most systems will likely not be affected, but the following are some examples of affected software with many users:
- RedHat Enterprise Linux 9
- CentOS Stream 9
- Ubuntu 22.04 LTS
- Homebrew
- SoftEther VPN
VMware Tools and other software packages are believed to be affected, but most likely not in a serious way. In addition, some individual systems may require OpenSSL 3, which is a separate OpenSSL 3 standard. However, it is possible that some individual systems require OpenSSL 3 functions and therefore install OpenSSL 3 separately from the built-in system components, so it is advisable to check the system's status using the above information to be sure.
[Note]
Last-Modified: November 2, 2022
The content ends at this position.