Security updates: OpenSSL X.509 email address buffer overflow

On 25 Oct 2022, we became aware of a new potential critical OpenSSL Vulnerability.

On 1 Nov 2022, the official details were published. There are two HIGH severity OpenSSL vulnerabilities affecting OpenSSL v3.0-3.6:

• CVE-2022-3786
• CVE-2022-3602

These could lead to buffer overruns resulting in a denial of service (“DoS”) or remote code execution (“RCE”). According to the statement by OpenSSL.org, the buffer overrun can be triggered when X.509 certification verification contains malicious values in some certificate fields.

Exploitation requires either a certificate authority (“CA”) to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer.

At the time of disclosure, the OpenSSL reporting team was not aware of any working exploit that could lead to remote code execution and had no evidence of the issues having been exploited prior to disclosure.

Our security, engineering, and operations teams have thoroughly investigated the potential impact on the Aiven platform and services since the additional details of the vulnerability were disclosed. We have not found components in any Aiven services or underlying operating systems or software that are vulnerable to these exploits.

Further information

For more information about the vulnerability, see

1. OpenSSL blog post on CVE-2022-3786 and CVE-2022-3602

2. CVE-2022-3786
   and CVE-2022-3602 on CVE Mitre. It could be referred to when the CVE information is public on CVE Mitre.

To get the latest news about Aiven and our services, plus a bit of extra around all things open source, subscribe to our monthly newsletter! Daily news about Aiven is available on our LinkedIn and Twitter feeds.

If you just want to find out about our service updates, follow our changelog.

Are you still looking for a managed data platform? Sign up for a free trial at https://console.aiven.io/signup!