The Community is now in read-only mode to prepare for the launch of the new Revenera Community. During this time, you will be unable to register, log in, or access customer resources from Nov 22nd-Nov 25th. Click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security Advisory: Assessment of Revenera's products' exposure to OpenSSL Vulnerabilities CVE-2022-3602 and CVE-2022-3786

cvirata
Revenera Community Admin Revenera Community Admin
Revenera Community Admin
1 0 1,457

Summary

Two vulnerabilities in OpenSSL impacting versions 3.0.0 through 3.0.6, potentially causing a Denial of Service (DoS) and in one case potentially allowing the execution of arbitrary code, have been publicly disclosed. The vulnerabilities are related to X.509 certificate validation when handling email addresses in both the TLS clients and servers. They have been assigned the identifiers CVE-2022-3602 and CVE-2022-3786 respectively and are rated as “HIGH” by the maintainer of OpenSSL.

This article provides currently available information about the potential impact of the vulnerabilities on Revenera products and plans for remediation, if necessary.

The first vulnerability, referred to as CVE-2022-3786, can be exploited to cause a buffer overflow through a specially crafted X.509 certificate. As the content cannot be controlled by a potential attacker, the only plausible impact is a DoS currently.

The second vulnerability, represented by the identifier CVE-2022-3602, potentially allows for the execution of arbitrary code in addition to a DoS effect. While many platforms incorporate safeguards for the stack and thus mitigate any impact, code execution cannot be fully ruled out.

Once more details are available, this article will be updated with the potential impact of the vulnerability on Revenera products and plans for remediation, if necessary.

NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

Revenera Product Assessment

Product Potential Exposure to CVE-2022-3602 Potential Exposure to CVE-2022-3786 Potentially Exposed Components or Versions Fixed Version Mitigation
Installation
InstallAnywhere No No None N/A N/A
InstallShield No No None N/A N/A
 
Software Composition Analysis
Code Aware No No None N/A N/A
Code Insight No No None N/A N/A
SBOM Insights No No None N/A N/A
 
Software Monetization
Cloud Licensing (CLS) No No None N/A N/A 
Compliance Intelligence (RCI) No No None

N/A

N/A
FlexNet Connect No No None N/A N/A
FlexNet Embedded - License Server Manager (FLSM) No No None N/A N/A
FlexNet Embedded - Local License Server (LLS) No No None N/A N/A
FlexNet Embedded SDK No No None N/A N/A
FlexNet Operations - ALM No No None N/A N/A
FlexNet Operations - LLM No No None N/A N/A
FlexNet Operations On-Premise No No None N/A N/A
FlexNet Publisher No No None N/A N/A
Usage Intelligence (RUI) No No None N/A N/A

 

The information on this page reflects:

  • The assessed status of Revenera’s SaaS systems.
  • The assessed status of all versions of Revenera’s products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/default.htm.

Related Information

Change Log

2022-10-31 17:44 CDT: Initial notice posted

2022-11-01 15:43 CDT: Updated advisory due to the publication of OpenSSL version 3.0.7 and vulnerability details