Security Update: OpenSSL vulnerability CVE-2022-3602
Update: Friday, November 4, 2022 3:00pm (EDT)
The SmartBear Security Team has determined there are no products and/or systems directly impacted by CVE-2022-3602 and CVE-2022-3786 at this time. We have determined, however, that some underlying infrastructure images do contain the impacted OpenSSL library, and are working to release new versions of those container images. SmartBear continues to closely monitor this known vulnerability and our security teams have also increased vulnerability monitoring and tuned our sensors for greater detection of any related activity.
If you have additional or more specific questions, reach out to our support team at https://support.smartbear.com.
Update: Wednesday, November 2, 2022 10:00am (EDT)
On, November 1, 2022, OpenSSL announced a software update addressing a recent remote code execution vulnerability disclosed under CVE-2022-3786 (X.509 Email Address Variable Length Buffer Overflow) and CVE-2022-3602 (X.509 Email Address 4-byte Buffer Overflow).
This OpenSSL vulnerability CVE-2022-3602, which was originally assessed as Critical and has now been assessed as High with CVE-2022-3786 remaining classified as a High.
As part of OpenSSL standard research and operating protocol, they assess vulnerabilities as Critical that allows remote code execution in common situations according to their security policy. OpenSSL has reported not seeing evidence of these vulnerabilities exploited in the wild but is encouraging users on 3.0 and above update to the latest version.
SmartBear is monitoring our products and IT environment for this vulnerability as part of our rapid response protocols, and will apply patches as they become available for any impacted system.. Please know security of our products for our customers is a top priority. If you have any questions, please reach out to our support team at https://support.smartbear.com.