Summary
Two vulnerabilities in OpenSSL impacting versions 3.0.0 through 3.0.6, potentially causing a Denial of Service (DoS) and in one case potentially allowing the execution of arbitrary code, have been publicly disclosed. The vulnerabilities are related to X.509 certificate validation when handling email addresses in both the TLS clients and servers. They have been assigned the identifiers CVE-2022-3602 and CVE-2022-3786 respectively and are rated as “HIGH” by the maintainer of OpenSSL.
This article provides currently available information about the potential impact of the vulnerabilities on Flexera products and plans for remediation, if necessary.
The first vulnerability, referred to as CVE-2022-3786, can be exploited to cause a buffer overflow through a specially crafted X.509 certificate. As the content cannot be controlled by a potential attacker, the only plausible impact is a DoS currently.
The second vulnerability, represented by the identifier CVE-2022-3602, potentially allows for the execution of arbitrary code in addition to a DoS effect. While many platforms incorporate safeguards for the stack and thus mitigate any impact, code execution cannot be fully ruled out.
NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.
Flexera product assessment
Product |
Potential Exposure to CVE-2022-3602 |
Potential Exposure to CVE-2022-3786 |
Potentially Exposed Components or Versions |
Fixed Version |
Mitigation |
AdminStudio |
Under assessment |
Under assessment |
|
|
|
App Portal / App Broker |
Under assessment |
Under assessment |
|
|
|
Cloud Management Platform |
Under assessment |
Under assessment |
|
|
|
CloudScape / Foundation |
No |
No |
None |
N/A |
N/A |
Columbus |
No |
No |
None |
N/A |
N/A |
Data Platform |
No |
No |
None |
N/A |
N/A |
FlexNet Manager Suite On Premises |
No |
No |
None |
N/A |
N/A |
FlexNet Manager for Engineering Applications |
No |
No |
None |
N/A |
N/A |
Flexera One: |
|
|
|
|
|
Cloud Cost Optimization (Optima) |
No |
No |
None |
N/A |
N/A |
IT Asset Management |
No |
No |
None |
N/A |
N/A |
IT Visibility |
Under assessment |
Under assessment |
|
|
|
SaaS Management |
No |
No |
None |
N/A |
N/A |
Software Vulnerability Manager Cloud |
No |
No |
None |
N/A |
N/A |
Software Vulnerability Manager On Premises |
No |
No |
None |
N/A |
N/A |
Software Vulnerability Research |
No |
No |
None |
N/A |
N/A |
Spider |
No |
No |
None |
N/A |
N/A |
Technopedia |
No |
No |
None |
N/A |
N/A |
Workflow Manager |
Under assessment |
Under assessment |
|
|
|
The information on this page reflects:
Related information
Change log
31 Oct, 2022 6:00 PM CST: Initial notice posted
1 Nov, 2022, 3:25 PM CST: Updated advisory due to the publication of OpenSSL version 3.0.7 and vulnerability details
2 Nov, 2022 10:15 PM CST: Updated advisory regarding CloudScape / Foundation, FlexNet Manager for Engineering Applications, Cloud Cost Optimization (Optima), Software Vulnerability Manager Cloud, Software Vulnerability Manager On Premises and Software Vulnerability Research
15 Nov, 2022 4:00 PM CST: Updated advisory regarding FlexNet Manager Suite On Premises and IT Asset Management
16 Nov, 2022 5:15 PM CST: Updated advisory regarding Data Platform and Technopedia
17 Nov, 2022 12:50 PM CST: Updated advisory regarding Columbus and Spider
21 Nov, 2022 4:00 PM CST: Updated advisory regarding SaaS Management
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.