exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 7 of 7 RSS Feed

CVE-2022-3602

Status Candidate

Overview

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Related Files

Ubuntu Security Notice USN-6531-1
Posted Dec 6, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 6531-1 - Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled certain specially crafted Lua scripts. An attacker could possibly use this issue to cause heap corruption and execute arbitrary code. SeungHyun Lee discovered that Redis incorrectly handled specially crafted commands. An attacker could possibly use this issue to trigger an integer overflow, which might cause Redis to allocate impossible amounts of memory, resulting in a denial of service via an application crash.

tags | advisory, denial of service, overflow, arbitrary
systems | linux, ubuntu
advisories | CVE-2022-24834, CVE-2022-35977, CVE-2022-36021, CVE-2023-25155, CVE-2023-28856, CVE-2023-45145
SHA-256 | 86bf06ce70285fd40bd6c61d977ae5a038cc5d7e43804cf355bef675f762bdeb
Red Hat Security Advisory 2023-0786-01
Posted Feb 16, 2023
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2023-0786-01 - Network observability is an OpenShift operator that provides a monitoring pipeline to collect and enrich network flows that are produced by the Network observability eBPF agent. The operator provides dashboards, metrics, and keeps flows accessible in a queryable log store, Grafana Loki. When a FlowCollector is deployed, new dashboards are available in the Console.

tags | advisory
systems | linux, redhat
advisories | CVE-2021-46848, CVE-2022-1271, CVE-2022-1304, CVE-2022-2509, CVE-2022-33099, CVE-2022-34903, CVE-2022-3515, CVE-2022-35737, CVE-2022-3602, CVE-2022-3715, CVE-2022-3786, CVE-2022-3821, CVE-2022-40303, CVE-2022-40304
SHA-256 | 013e0d112d12163306ab5fd48c064c86a91e50c0e5cba35318befef6de74f4c3
Red Hat Security Advisory 2022-7384-01
Posted Nov 3, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7384-01 - The ubi9/openssl image provides provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Issues addressed include a buffer overflow vulnerability.

tags | advisory, overflow, cryptography
systems | linux, redhat
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | 2d06e9dfb51b5c9d873e5550a4253a970790f764b91c9681acc1009726636955
Gentoo Linux Security Advisory 202211-01
Posted Nov 2, 2022
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.

tags | advisory, remote, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | 74d9846dab1725376e2239dab259af2da8c355857e141540172199e96d2976b6
Red Hat Security Advisory 2022-7288-01
Posted Nov 2, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7288-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength general purpose cryptography library. Issues addressed include a buffer overflow vulnerability.

tags | advisory, overflow, protocol
systems | linux, redhat
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | 36d6bbb8281f96a5020fa36bd696fd4ed5fe25f026bc665c147dc884b4c5aeff
OpenSSL Toolkit 3.0.7
Posted Nov 2, 2022
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide. The 3.x series is the current major version of OpenSSL.

Changes: Added RIPEMD160 to the default provider. Fixed regressions introduced in 3.0.6 version. Fixed two buffer overflows in punycode decoding functions.
tags | tool, encryption, protocol
systems | unix
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | 83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e
OpenSSL Security Advisory 20221101
Posted Nov 1, 2022
Site openssl.org

OpenSSL Security Advisory 20221101 - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Other issues were also addressed.

tags | advisory, remote, denial of service, overflow, code execution
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | f5b2b5456475218f21e11c204399e21895e40c447a1a4638df485d020701c36b
Page 1 of 1
Back1Next

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close