CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x security vulnerabilities

Tomas Mraz tomas at openssl.org
Wed Nov 2 07:38:27 UTC 2022


In general unless you've built and installed your own build of OpenSSL
you need to refer to the vendor of your operating system for patches.

In particular the openssl packages in CentOS 7.9 are not affected given
they are 1.0.2 version and not 3.0.x version.

Tomas Mraz, OpenSSL

On Wed, 2022-11-02 at 17:48 +1100, Turritopsis Dohrnii Teo En Ming
wrote:
> Subject: CVE-2022-3602 and CVE-2022-3786 Critical OpenSSL 3.0.x
> security vulnerabilities
> 
> Good day from Singapore,
> 
> I refer to the following posts.
> 
> [1] OpenSSL Gives Heads Up to Critical Vulnerability Disclosure,
> Check Point Alerts Organizations to Prepare Now
> Link:
> https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/
> 
> [2] 2022 OpenSSL vulnerability - CVE-2022-3602 - Spooky SSL
> Link: https://github.com/NCSC-NL/OpenSSL-2022
> 
> [3] VMware Response to CVE-2022-3602 and CVE-2022-3786:
> vulnerabilities in OpenSSL 3.0.x
> Link:
> https://blogs.vmware.com/security/2022/11/vmware-response-to-cve-2022-3602-and-cve-2022-3786-vulnerabilities-in-openssl-3-0-x.html
> 
> I have 2 internet-facing CentOS 7.9 Linux servers in Europe.
> 
> Are the patches available already? How do I patch OpenSSL on my
> CentOS 7.9 Linux servers?
> 
> Thank you.
> 
> Regards,
> 
> Mr. Turritopsis Dohrnii Teo En Ming
> Targeted Individual in Singapore
> Blogs:
> https://tdtemcerts.blogspot.com
> https://tdtemcerts.wordpress.com

-- 
Tomáš Mráz, OpenSSL



More information about the openssl-users mailing list