The OpenSSL project released a patch for two high severity vulnerabilities in the world’s most widely used cryptographic library. The project’s maintainers warned users since last week to prepare for a critical patch on November 1, but the severity has since been downgraded following additional testing.
Organizations should still determine which of their applications and servers are impacted and deploy the patches as soon as possible. The vulnerabilities affect all versions of OpenSSL 3.0, which has been available since last year.
Buffer overflows in X.509 certificate verification
The two vulnerabilities, tracked as CVE-2022-3786 and CVE-2022-3602, are buffer overflow conditions in the punycode decoding functionality that was first introduced in OpenSSL 3.0.0 in September 2021. Punycode is a system for representing Unicode characters as ASCII and is used for example to represent internationalized domain names in the DNS system. In OpenSSL the vulnerable code is used for processing email address name constraints in X.509 certificates, also commonly known as SSL/TLS certificates.
x86: unintended memory sharing between guests [XSA-412, CVE-2022-42327]
Xenstore: Guests can crash xenstored [XSA-414, CVE-2022-42309]
Xenstore: Guests can create orphaned Xenstore nodes [XSA-415,
CVE-2022-42310]
Xenstore: guests can let run xenstored out of memory [XSA-326,
CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314,
CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318]
Xenstore: Guests can cause Xenstore to not free temporary memory
[XSA-416, CVE-2022-42319]
Xenstore: Guests can get access to Xenstore nodes of deleted domains
[XSA-417, CVE-2022-42320]
Xenstore: Guests can crash xenstored via exhausting the stack
[XSA-418, CVE-2022-42321]
Xenstore: Cooperating guests can create arbitrary numbers of nodes
[XSA-419, CVE-2022-42322, CVE-2022-42323]
Oxenstored 32->31 bit integer truncation issues [XSA-420, CVE-2022-42324]
Xenstore: Guests can create arbitrary number of nodes via transactions
[XSA-421, CVE-2022-42325, CVE-2022-42326]
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.