OpenSSL 3.0 vulnerability information

After analysing the vulnerability, we consider current releases of Cumulocity IoT Platform are not affected. However, if your microservices leverage vulnerable OpenSSL versions for the outbound TLS connections, it is advised to upgrade OpenSSL library to version 3.0.7.

Once we have further details, we will analyse the impact of the vulnerability in the context of the Cumulocity IoT Platform and take the necessary actions if required.

Thank you for your continued co-operation.

OpenSSL - X.509 Email Address 4-byte Buffer Overflow and X.509 Email Address Variable Length Buffer Overflow.

CVE: CVE-2022-3786, CVE-2022-3602
CVSS Score: N/A
Vulnerability Details: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in the certificates to create a buffer overflow that could result in a crash (causing a denial of service) or potentially remote code execution.
Severity: High
Reference: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

• OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.
• OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.
• OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

The details published in the CVE are analysed in the context of Cumulocity IoT cloud and Cumulocity IoT Edge. After analysing the vulnerability, we consider current releases of Cumulocity IoT Platform are not affected. However, if your microservices leverage vulnerable OpenSSL versions for the outbound TLS connections, it is advised to upgrade OpenSSL library to version 3.0.7 as recommended above.

For updates regarding public Cumulocity IoT platforms that we operate, refer to the status page - https://status.cumulocity.com/.

Change log:
31st October 2022 - Initial Publication
02nd November 2022 – Advisory updated after CVE details were available.

Latest updates are available from
https://www.openssl.org/news/secadv/20221101.txt
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786

Please be informed that OpenSSL has made an announcement about their forthcoming release of their next version, which will be released on Tuesday (1st Nov, 2022). This release is expected to include a fix for a HIGH security vulnerability.

CVE: unknown
CVSS Score: unknown
Vulnerability Details: unknown
Severity: High
Reference: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Versions that are vulnerable:
- OpenSSL versions 3.0 and above.
- OpenSSL version 3.0.7 is expected to be released on Tuesday (1st Nov, 2022) with the fix for this vulnerability.

From our current analysis, the vulnerability does NOT impact the current GA versions of Cumulocity IoT Public Clouds, and Edge deployments, as the affected versions are not used in the Cumulocity platform.

Once we have further details, we will analyse the impact of the vulnerability in the context of the Cumulocity IoT Platform and take the necessary actions if required.

Please watch out for updates on the status page - https://status.cumulocity.com/