移至主內容
OpenSSL Advisory, November 2022

OpenSSL versions from 3.x through 3.0.6 (earlier than 3.0.7) are found vulnerable to a high severity security vulnerability that can lead to crash or unexpected behavior.

OpenSSL has released an advisory located at https://www.openssl.org/news/secadv/20221101.txt

Supermicro firmware and software products are not affected by either CVE-2022-3786 or CVE-2022-3602 since Supermicro products use OpenSSL versions 1.0.x - 1.1.1.

More Information:

CVE-2022-3786

An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.