- Revenera Community
- :
- Revenera Company
- :
- Revenera Company News
- :
- Security Advisory: Assessment of Revenera's products' exposure to OpenSSL Vulnerabilities CVE-2022-3...
Security Advisory: Assessment of Revenera's products' exposure to OpenSSL Vulnerabilities CVE-2022-3602 and CVE-2022-3786
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
Summary
Two vulnerabilities in OpenSSL impacting versions 3.0.0 through 3.0.6, potentially causing a Denial of Service (DoS) and in one case potentially allowing the execution of arbitrary code, have been publicly disclosed. The vulnerabilities are related to X.509 certificate validation when handling email addresses in both the TLS clients and servers. They have been assigned the identifiers CVE-2022-3602 and CVE-2022-3786 respectively and are rated as “HIGH” by the maintainer of OpenSSL.
This article provides currently available information about the potential impact of the vulnerabilities on Revenera products and plans for remediation, if necessary.
The first vulnerability, referred to as CVE-2022-3786, can be exploited to cause a buffer overflow through a specially crafted X.509 certificate. As the content cannot be controlled by a potential attacker, the only plausible impact is a DoS currently.
The second vulnerability, represented by the identifier CVE-2022-3602, potentially allows for the execution of arbitrary code in addition to a DoS effect. While many platforms incorporate safeguards for the stack and thus mitigate any impact, code execution cannot be fully ruled out.
Once more details are available, this article will be updated with the potential impact of the vulnerability on Revenera products and plans for remediation, if necessary.
NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available. |
Revenera Product Assessment
Product | Potential Exposure to CVE-2022-3602 | Potential Exposure to CVE-2022-3786 | Potentially Exposed Components or Versions | Fixed Version | Mitigation |
Installation | |||||
InstallAnywhere | No | No | None | N/A | N/A |
InstallShield | No | No | None | N/A | N/A |
Software Composition Analysis | |||||
Code Aware | No | No | None | N/A | N/A |
Code Insight | No | No | None | N/A | N/A |
SBOM Insights | No | No | None | N/A | N/A |
Software Monetization | |||||
Cloud Licensing (CLS) | No | No | None | N/A | N/A |
Compliance Intelligence (RCI) | No | No | None |
N/A |
N/A |
FlexNet Connect | No | No | None | N/A | N/A |
FlexNet Embedded - License Server Manager (FLSM) | No | No | None | N/A | N/A |
FlexNet Embedded - Local License Server (LLS) | No | No | None | N/A | N/A |
FlexNet Embedded SDK | No | No | None | N/A | N/A |
FlexNet Operations - ALM | No | No | None | N/A | N/A |
FlexNet Operations - LLM | No | No | None | N/A | N/A |
FlexNet Operations On-Premise | No | No | None | N/A | N/A |
FlexNet Publisher | No | No | None | N/A | N/A |
Usage Intelligence (RUI) | No | No | None | N/A | N/A |
The information on this page reflects:
- The assessed status of Revenera’s SaaS systems.
- The assessed status of all versions of Revenera’s products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.revenera.com/eol/default.htm.
Related Information
- Information about Flexera products: https://community.flexera.com/t5/Community-Notices/Security-Advisory-Assessment-of-Flexera-s-products-exposure-to/ba-p/254301
- OpenSSL Release 3.0.7 Announcement
- OpenSSL Security Advisory [01 November 2022]
- OpenSSL 3.0 Series Release Notes
- OpenSSL Notice for CVE-2022-3602
- OpenSSL Notice for CVE-2022-3786
- OpenSSL Blog "CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows"
Change Log
2022-10-31 17:44 CDT: Initial notice posted
2022-11-01 15:43 CDT: Updated advisory due to the publication of OpenSSL version 3.0.7 and vulnerability details