SECURITY ALERT
Open SSL 3.0.X Vulnerabilities
Update 10/27/2022
Alerted Vulnerabilities
On October 26, 2022, Wind River® became aware of a new vulnerability in Open SSL versions 3.0.0 to 3.0.6, from public sources. On November 1, 2022, The Open SSL Group announced two High Vulnerabilities CVE-2022-3786 and CVE 2022-3602. The OpenSSL Project has released version 3.0.7, available on November 1st to remediate these vulnerabilities.
These high vulnerabilities is likely to be exploitable; examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely. The following information has been released on this Vulnerability:
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog
Fix CVE-2022-3786 in punycode decoder. · openssl/openssl@c42165b · GitHub,
Affected Products
The following Wind River products are impacted:
- VxWorks 22.09
- WRLINUX_10_22_LTS and WRLINUX_CI
Please visit our Security Center for ongoing updates to the Wind River product vulnerability status and this alert.
Additional Resources
Please access these additional resources for these and all vulnerabilities:
- Wind River Security Center
- Wind River Product CVE Database
- Product-Specific Security Alerts and RSS Subscription
Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.