Is Mend vulnerable to the OpenSSL vulnerability?
On October 25th, 2022, two new OpenSSL vulnerabilities were disclosed. These vulnerabilities were categorized as HIGH, and affect OpenSSL versions from 3.0 - 3.0.6, inclusively.
CVE-2022-3786 and CVE-2022-3602 have been assigned to these vulnerabilities. The Mend application is up to date with the CVE details, and we encourage our customers to scan their code with Mend to identify whether their code is impacted by this vulnerability.
What are the OpenSSL vulnerabilities, CVE-2022-3786 and CVE-2022-3602?
According to OpenSSL’s official announcement, OpenSSL version 3.0.7, which is set to be released on November 1st, 2022, between 13:00 - 17:00 UTC, will address these high vulnerabilities. The OpenSSL project has marked that these vulnerabilities do not impact versions of OpenSSL prior to 3.0. From OpenSSL’s Security Policy, they define HIGH severity as:
“This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.”
CVE-2022-3786
From OpenSSL, CVE-2022-3786 is described as:
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Reported by Viktor Dukhovni.
Currently, NVD has not tagged CVE-2022-3786 with a CVSS score. For now, Mend’s Data & Security team has analyzed this case and has marked CVE-2022-3786 with a 7.5 CVSS score.
CVE-2022-3602
From OpenSSL, CVE-2022-3602 is described as:
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Reported by Polar Bear.
Currently, NVD has not tagged CVE-2022-3602 with a CVSS score. For now, Mend’s Data & Security team has analyzed this case and has marked CVE-2022-3602 with a 9.8 CVSS score.
What components are impacted by the OpenSSL vulnerabilities, CVE-2022-3786 and CVE-2022-3602?
The OpenSSL versions below are affected by both CVE-2022-3786 and CVE-2022-3602:
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
What is Mend’s recommended action to fix the OpenSSL vulnerabilities for my own products?
Prepare to update any vulnerable OpenSSL installations on Tuesday, November 1, 2022. You can check your current OpenSSL version by running the following command:
CODEopenssl version
Run an organization-wide inventory report. If you require a multiple organization report or have over 1000 products, we recommend using the Mend Bulk Report Generator tool to streamline report generation
Search the inventory report for libraries with instances of the referenced vulnerability to identify impacted applications
Contact relevant teams and alert them to the urgency and fix
Here are the different relevant fixes:· Users of affected versions should apply the necessary mitigations &/or remediation:
Mitigation Recommendations: Advisory: New OpenSSL Critical Security Vulnerability
Remediation Recommendations:
Mend Database: CVE-2022-3786
Mend Database: CVE-2022-3602
Are Mend offerings vulnerable to the OpenSSL vulnerabilities?
Mend does not use OpenSSL in any of our application code for our offered products, both SCA and SAST. In our cloud infrastructure, we use an older version of OpenSSL prior to v3.0. Therefore, Mend is not impacted by this vulnerability.
Frequently Asked Questions
Q: Do I need to rescan my projects to detect this vulnerability?
A: No, Mend keeps a current list of vulnerabilities in our index and alerts are automatically applied to a vulnerability once the index is updated.
Q: How can Mend alert me when a vulnerability of this severity is introduced in my project?
A: If you have policies set up in your organization, Mend will automatically notify you in case you are affected by this vulnerability. To set up a policy within your organization, please review our Policies documentation. If you do not wish to set this up, you can utilize the Security Alerts reports for the CVEs.
Q: How can I tell if this vulnerability is in one of my transitive dependencies?
A: Our Inventory report, Security Alerts reports, and the Library Details page all provide documentation for analyzing the necessary information to help you determine your next steps in mitigating this vulnerability. To retrieve the reports mentioned, navigate to the corresponding page in your Mend UI, or use our asynchronous Reports APIs or synchronous APIs.
Related Documentation
Mend Database: CVE-2022-3786
Mend Database: CVE-2022-3602
Mend Blog: Advisory: New OpenSSL Critical Security Vulnerability
OpenSSL: Security Policy
OpenSSL: Announcement of version 3.0.7
OpenSSL: Vulnerabilities