By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    How to Fight Rootkits -Kaspersky Daily
    1 year ago
    Faketoken Banking Trojan is Getting Widespread in 55 Countries
    1 year ago
    95% of Android phones can be hacked with one just MMS
    1 year ago
    Latest News
    Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
    2 hours ago
    Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware
    20 hours ago
    Patchstack Alliance Bounty Program Events for December
    3 days ago
    Your Smart Coffee Maker is Brewing Up Trouble
    3 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Unscheduled update for WordPress fixes two critical vulnerabilities
    Unscheduled update for WordPress fixes two critical vulnerabilities
    1 year ago
    Windows 11 build 22621.457 (KB5016695) outs in Release Preview Channel
    1 year ago
    How to change time zone on Windows 11
    1 year ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    10 months ago
    Now you can speed up any video in your browser
    10 months ago
    How to restore access to a file after EFS or view it on another computer?
    10 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    11 months ago
  • How To
    How ToShow More
    How to stop, disable, and remove any Android apps — even system ones
    2 days ago
    Bigger, Better, Cooler in a 2U1N form factor
    Bigger, Better, Cooler in a 2U1N form factor
    3 days ago
    Vulnerability in crypto wallets created online in the early 2010s
    4 days ago
    Use Windows 11 features to inspire creativity, speed up everyday tasks
    5 days ago
    Windows brings nostalgia to the holidays with the return of Windows Ugly Sweaters, this year featuring the Bliss backdrop
    6 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to turn Wi-Fi On or Off on Windows 11
    1 month ago
    Roskomnadzor was asked to block another 51 VPN servicesSenator Artem Sheikin Pot
    3 weeks ago
    How to remove or replace image background in Photos for Windows 11
    3 weeks ago
    Latest News
    How to disable updates on Windows 10 Pro and Home
    1 day ago
    Change screen brightness on Windows 11
    3 days ago
    How to share Microsoft 365 Family subscription with other people
    5 days ago
    How to enable random MAC address for Wi-Fi on Windows 10
    5 days ago
  • Glossary
  • My Bookmarks
Reading: Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Apps

Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

Andra Smith
Last updated: 7 November
Andra Smith 1 year ago
Share
5 Min Read

Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-37

Contents
How do these issues affect clients and servers?How should you handle this issue?Key takeaways

Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH risk vulnerabilities in the OpenSSL 3.0.x cryptographic library. Cloudflare is not affected by these vulnerabilities because we use BoringSSL in our products.

These vulnerabilities are memory corruption issues, in which attackers may be able to execute arbitrary code on a victim’s machine. CVE-2022-3602 was initially announced as a CRITICAL severity vulnerability, but it was downgraded to HIGH because it was deemed difficult to exploit with remote code execution (RCE). Unlike previous situations where users of OpenSSL were almost universally vulnerable, software that is using other versions of OpenSSL (like 1.1.1) are not vulnerable to this attack.

How do these issues affect clients and servers?

These vulnerabilities reside in the code responsible for X.509 certificate verification – most often executed on the client side to authenticate the server and the certificate presented. In order to be impacted by this vulnerability the victim (client or server) needs a few conditions to be true:

  • A malicious certificate needs to be signed by a Certificate Authority that the victim trusts.
  • The victim needs to validate the malicious certificate or ignore a series of warnings from the browser.
  • The victim needs to be running OpenSSL 3.0.x before 3.0.7.

For a client to be affected by this vulnerability, they would have to visit a malicious site that presents a certificate containing an exploit payload. In addition, this malicious certificate would have to be signed by a trusted certificate authority (CA).

Servers with a vulnerable version of OpenSSL can be attacked if they support mutual authentication – a scenario where both client and a server provide a valid and signed X.509 certificate, and the client is able to present a certificate with an exploit payload to the server.

How should you handle this issue?

If you’re managing services that run OpenSSL: you should patch vulnerable OpenSSL packages. On a Linux system you can determine if you have any processes dynamically loading OpenSSL with the lsof command. Here’s an example of finding OpenSSL being used by NGINX.

 [email protected]:/# lsof | grep libssl.so.3 nginx   1294     root  mem       REG              254,1           925009 /usr/lib/x86_64-linux-gnu/libssl.so.3 (path dev=0,142) 

Once the package maintainers for your Linux distro release OpenSSL 3.0.7 you can patch by updating your package sources and upgrading the libssl3 package. On Debian and Ubuntu this can be done with the apt-get upgrade command

 [email protected]:/# apt-get --only-upgrade install libssl3 

With that said, it’s possible that you could be running a vulnerable version of OpenSSL that the lsof command can’t find because your process is statically compiled. It’s important to update your statically compiled software that you are responsible for maintaining, and make sure that over the coming days you are updating your operating system and other installed software that might contain the vulnerable OpenSSL versions.

Key takeaways

Cloudflare’s use of BoringSSL helped us be confident that the issue would not impact us prior to the release date of the vulnerabilities.

More generally, the vulnerability is a reminder that memory safety is still an important issue. This issue may be difficult to exploit because it requires a maliciously crafted certificate that is signed by a trusted CA, and certificate issuers are likely to begin validating that the certificates they sign don’t contain payloads that exploit these vulnerabilities.  However, it’s still important to patch your software and upgrade your vulnerable OpenSSL packages to OpenSSL 3.0.7 given the severity of the issue.

To learn more about our mission to help build a better Internet, start here. If you’re looking for a new career direction, check out our open positions.


Source: cloudflare.com

Translate this article

TAGGED: Authentication, Cloudflare, DoS, Linux, PoC, Software, Stack overflow, Transport Layer Security, Vulnerabilities
Andra Smith November 7, 2022 November 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Wordpress Threats 5 hours ago
Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware
Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware
Wordpress Threats 23 hours ago
How to disable updates on Windows 10 Pro and Home
News 1 day ago
How to stop, disable, and remove any Android apps — even system ones
How To 2 days ago
Patchstack Alliance Bounty Program Events for December
Patchstack Alliance Bounty Program Events for December
Wordpress Threats 3 days ago

You Might Also Like

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Wordpress Threats

Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution

5 hours ago
Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware
Wordpress Threats

Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware

23 hours ago
How To

How to stop, disable, and remove any Android apps — even system ones

2 days ago
Patchstack Alliance Bounty Program Events for December
Wordpress Threats

Patchstack Alliance Bounty Program Events for December

3 days ago
Show More

Related stories

Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin
BridesMaid – neuron writes toasts For those very occasions when you need to give out a powerful
The other day Yandex pleased us with the announcement of a new Midi station – an excellent reason to listen
REMIX – remixes of pictures from neural networksCreate, share and correct works
How to download Diablo IV for free and absolutely legallyBlizzard has opened a free
Rostelecom employees were forced to abandon Android and iOS in favor of Aurora.
Previous Next

10 New Stories

Your Smart Coffee Maker is Brewing Up Trouble
Bigger, Better, Cooler in a 2U1N form factor
Change screen brightness on Windows 11
Earn up to $10,000 for Vulnerabilities in WordPress Software
Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin
Short-URL Services May Hide Threats
Previous Next
Hot News
Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware
How to disable updates on Windows 10 Pro and Home
How to stop, disable, and remove any Android apps — even system ones
Patchstack Alliance Bounty Program Events for December
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?