Vulnerability in Openssl
CVE-2022-3602
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certi…
EPSS: 0.835 (99.3th percentile) — read the EPSS interpretation.
Affected products
- Openssl — versions Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6)
Public proof-of-concept exploits
- NCSC-NL/OpenSSL-2022
- colmmacc/CVE-2022-3602
- rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc
- eatscrayon/CVE-2022-3602-poc
- corelight/CVE-2022-3602
- cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786
- attilaszia/cve-2022-3602
- alicangnll/SpookySSL-Scanner
- GhostTroops/TOP
- IT-Relation-CDC/OpenSSL3.x-Scanner_
References
- www.openssl.org/news/secadv/20221101.txt
- git.openssl.org/gitweb/
- [oss-security] 20221101 OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- 20221028 Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022 (vendor-advisory)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
- [oss-security] 20221101 Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (mailing-list)
Frequently asked questions
- What is CVE-2022-3602?
- CVE-2022-3602 is a vulnerability in Openssl. Published 2022-11-01.
- Is CVE-2022-3602 known to be exploited?
- 55 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.