Last updated at Fri, 11 Nov 2022 19:47:13 GMT
As stated in our OpenSSL Buffer Overflow blog post, the CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate. CVE-2022-3786 can overflow an arbitrary number of bytes on the stack with the “.” character (a period), leading to a denial of service, while CVE-2022-3602 allows a crafted email address to overflow exactly four attacker-controlled bytes on the stack. OpenSSL 3.0.7 contains fixes for these vulnerabilities which was released on November 1, 2022.
As part of standard due diligence, Rapid7 evaluates the potential impact of vulnerabilities in its products. This process includes validating the existence of the vulnerable libraries or services, interdependencies, the exploitability of the vulnerability in a given context, and impacts related to applying available patches.
Rapid7’s Insight Agent and Insight Network Sensor were confirmed to be impacted by these vulnerabilities. An Insight Agent fix was released on November 2, 2022 (release version 18.104.22.168) and a Network Sensor fix was released on November 10, 2022 (release version 22.214.171.124). Rapid7’s assessment has found no other impact on our products.