The OpenSSL project has announced two security vulnerabilities tracked as CVE-2022-3602 and CVE-2022-3786. The good news is that these vulnerabilities are unlikely to facilitate remote code execution as originally anticipated, and only OpenSSL version 3.0.0 and later are impacted.

The OpenSSL project has announced two vulnerabilities affecting OpenSSL version 3.0.0 through to version 3.0.6, with version 3.0.7 containing the critical security fixes for these vulnerabilities.

The are two methods of confirming whether your business is impacted at this level: Compare your vendor list against a list of unaffected software solutions -https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md Contact all of your software vendors to confirm their susceptibility to this vulnerability type (see below for recommendations on how to address OpenSSL security risks with third-party vendors collaboratively)

Vendors could be impacted by domains running vulnerable versions of OpenSSL or with software running vulnerable OpenSSL libraries.

Related Articles