2022 OpenSSL vulnerability - CVE-2022-3602/CVE-2022-3786

This repo contains operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3.0.0-3.0.6. For more information see:

• OpenSSL Security Advisory
• OpenSSL Blogpost FAQ
• CERT-Bund advisory (DE)
• CISA advisory
• NCSC-NL advisory (NL)
• OpenSSL pre-notification
• OpenSSL release notification
• SANS Internet Storm Center Blogpost

What is OpenSSL and what is it used for?

OpenSSL is a library used for cryptographic purposes, especially in the field of network connections. For example, web servers often use OpenSSL to establish encrypted HTTPS connections. Mail servers and VPN protocols such as OpenVPN also use OpenSSL to establish encrypted communication channels. The library can be found in a broad array of products, including network devices, embedded systems and container images.

What products are vulnerable?

The vulnerability is present in products using OpenSSL 3.0.0-3.0.6. Products that use OpenSSL 1.0.2 or 1.1.1 are not affected.

Currently no complete overview of vulnerable products is available. Please see software/README.md for a list of products that are known to be vulnerable. The list is a work in progress. For more information about specific products, please refer to your supplier.

The product I use is vulnerable to this issue. What should I do?

For up-to-date information about patches and mitigations, please refer to your product vendor.

IoCs and Detection

There are currently no known IoCs that indicate exploitation of this vulnerability. IoCs will be shared - when possible - through this repository. For network detection rules please see iocs_detection/README.md.

Hall of fame

We would like to thank every single one that provided source information or whom contributed to our GitHub page.

Below we present a very incomplete list of contributants or sources we consider the repository's hall of fame:

• SANS
• SURFcert
• @jspaans
• @robert-scheck
• @RobinFlikkema
• @fox-srt
• @Royce Williams