SECURITY ALERT

Open SSL 3.0.X Vulnerabilities

Update 10/27/2022

Alerted Vulnerabilities

On October 26, 2022, Wind River® became aware of a new vulnerability in Open SSL versions 3.0.0 to 3.0.6, from public sources. On November 1, 2022, The Open SSL Group announced two High Vulnerabilities CVE-2022-3786 and CVE 2022-3602. The OpenSSL Project has released version 3.0.7, available on November 1st to remediate these vulnerabilities.

These high vulnerabilities is likely to be exploitable; examples include ​significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys, or where remote code execution is considered likely. The following information has been released on this Vulnerability:

CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows - OpenSSL Blog

Fix CVE-2022-3786 in punycode decoder. · openssl/openssl@c42165b · GitHub,

Affected Products

The following Wind River products are impacted:

  • VxWorks 22.09
  • WRLINUX_10_22_LTS and WRLINUX_CI

Please visit our Security Center for ongoing updates to the Wind River product vulnerability status and this alert.

Additional Resources

Please access these additional resources for these and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.