OpenSSL 3.0.7 Patch

Overview

The OpenSSL Project has released a security fix, in version 3.0.7, which has been categorized as “HIGH” and affects version 3.0.0 to 3.0.6. The advisory can be found here and has been split into two CVEs:

  • X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)

  • X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

CodeSentry SCA can help find the usage of OpenSSL, flagging the currently affected versions. Please liaise with your sales representative or email sales@grammatech.com. We've also written a blog post on this topic, see here.

CodeSonar 7 Family

We have analyzed CodeSonar and determined that versions 7.0 and 7.1 rely on a vulnerable version of OpenSSL. Our upcoming release, CodeSonar 7.2 will be patched to remediate this risk. Earlier versions that are vulnerable will be patched based on the schedule below.

Older Versions of CodeSonar

Versions released prior to CodeSonar 7.0 used OpenSSL 1.1.1 and are not vulnerable to this exploit. 

Patched Installer Updates

The following timelines for patched releases can be found below.

Version

Patch Release Date

7.1

22nd November

7.0

22nd November

6.x

Not affected

We recommend that you check this page regularly for updates on the schedule. Our current supported versions of CodeSonar can be found here.

Questions

Should we stop all hubs that are running 7.x and below

No. If customers are not using HTTPS or TLS mode with Postgres or MASTER_USE_TLS then you can continue to use these hubs. If customers are running servers but those servers are only exposed on their intranet, and they trust the people on their intranet, and their intranet is secure, then you should not be concerned.

Note: the above does not apply if, someone has compromised your intranet or if a hub is running HTTPS and you have not accounted for it being enabled.

Info

We recommend you follow the support advisory section so any new content added in the future will trigger an email to your inbox.

References

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

GrammaTech Resource Library
Welcome to GrammaTech's resource library. Here you will find useful information about software development in the IoT era, where devices must not only function with impeccable quality and safety but also remain resilient to cyber attacks.
Shift Left Academy
Shift Left Academy is an educational resource to help implement a security first approach. Shift Left focuses on finding and preventing defects and security vulnerabilities early in the software development process
Blog
Posts by topic including static analysis, software assurance, and binary analysis