[sssForm]

Security Advisory

TLS-SSL - CVE-2022-3786, CVE-2022-3602 
Published: November 2, 2022
Last Update: November 2, 2022
Summary

On November 1, 2022, OpenSSL disclosed [1] OpenSSL vulnerabilities that may cause buffer overruns that could result in program Denial-of Service (DoS) crashes or potential remote code execution. These vulnerabilities are addressed in this document.

Item Score
# Vulnerability ID Source Score Summary
1 CVE-2022-3786 CVSSv3 7.5 High OpenSSL: X.509 Email Address Variable Length Buffer Overflo [2]
2 CVE-2022-3602 CVSSv3 9.8 Critical OpenSSL: X.509 Email Address Buffer Overflow [3]
Affected Releases

The table below indicates the vulnerability status of A10 products for these vulnerabilities. Unless specific models or product software releases are indicated, the vulnerability status should be considered to reflect all product models and software releases.

Product Vulnerability Status
A10 Thunder Not affected
A10 vThunder (Virtual Thunder) Not affected
A10 cThunder (Container Thunder) Not affected
A10 AX Series Not affected
A10 aGalaxy TPS Not affected
A10 aGalaxy ADC Series Not affected
A10 Harmony Controller Not affected
A10 Enterprise License Manager (ELM) Not affected
Workarounds and Mitigations

Not applicable.

Software Updates

Not applicable.

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description
CVE-2022-3786

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).

Acknowledgements

None

Modification History
Revision Date Description
1.0 November 2, 2022

Initial Publication


© Copyright 2022 A10 Networks, Inc. All Rights Reserved.