Nov 4, 2022
Security updates: OpenSSL X.509 email address buffer overflow
CVE-2022-3786 and CVE-2022-3602 currently have no impact on Aiven services or the Aiven platform.
On 25 Oct 2022, we became aware of a new potential critical OpenSSL Vulnerability.
On 1 Nov 2022, the official details were published. There are two HIGH severity OpenSSL vulnerabilities affecting OpenSSL v3.0-3.6:
These could lead to buffer overruns resulting in a denial of service (“DoS”) or remote code execution (“RCE”). According to the statement by OpenSSL.org, the buffer overrun can be triggered when X.509 certification verification contains malicious values in some certificate fields.
Exploitation requires either a certificate authority (“CA”) to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer.
At the time of disclosure, the OpenSSL reporting team was not aware of any working exploit that could lead to remote code execution and had no evidence of the issues having been exploited prior to disclosure.
Our security, engineering, and operations teams have thoroughly investigated the potential impact on the Aiven platform and services since the additional details of the vulnerability were disclosed. We have not found components in any Aiven services or underlying operating systems or software that are vulnerable to these exploits.
Further information
For more information about the vulnerability, see
-
CVE-2022-3786
and CVE-2022-3602 on CVE Mitre. It could be referred to when the CVE information is public on CVE Mitre.
To get the latest news about Aiven and our services, plus a bit of extra around all things open source, subscribe to our monthly newsletter! Daily news about Aiven is available on our LinkedIn and Twitter feeds.
If you just want to find out about our service updates, follow our changelog.
Are you still looking for a managed data platform? Sign up for a free trial at https://console.aiven.io/signup!
Stay updated with Aiven
Subscribe for the latest news and insights on open source, Aiven offerings, and more.
Related resources
Dec 20, 2021
0day? How about 0december! Aiven's CISO recaps the recent vulnerabilities and what Aiven did about them.
Mar 14, 2022
A vulnerability called "Dirty Pipe" (CVE-2022-0847) allows users to increase their access via the page cache. Aiven's CISO writes about our mitigating actions.
Nov 18, 2021
Programmers spending their time on tool issues is an old problem. The new solution in town is a separate team that takes care of it for them.