- Flexera Community
- :
- Community Hub
- :
- Community Notices
- :
- Security Advisory: Assessment of Flexera's products' exposure to OpenSSL Vulnerabilities CVE-2022-36...
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Summary
Two vulnerabilities in OpenSSL impacting versions 3.0.0 through 3.0.6, potentially causing a Denial of Service (DoS) and in one case potentially allowing the execution of arbitrary code, have been publicly disclosed. The vulnerabilities are related to X.509 certificate validation when handling email addresses in both the TLS clients and servers. They have been assigned the identifiers CVE-2022-3602 and CVE-2022-3786 respectively and are rated as “HIGH” by the maintainer of OpenSSL.
This article provides currently available information about the potential impact of the vulnerabilities on Flexera products and plans for remediation, if necessary.
The first vulnerability, referred to as CVE-2022-3786, can be exploited to cause a buffer overflow through a specially crafted X.509 certificate. As the content cannot be controlled by a potential attacker, the only plausible impact is a DoS currently.
The second vulnerability, represented by the identifier CVE-2022-3602, potentially allows for the execution of arbitrary code in addition to a DoS effect. While many platforms incorporate safeguards for the stack and thus mitigate any impact, code execution cannot be fully ruled out.
NOTE: This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.
Flexera product assessment
|
Product |
Potential Exposure to CVE-2022-3602 |
Potential Exposure to CVE-2022-3786 |
Potentially Exposed Components or Versions |
Fixed Version |
Mitigation |
|
AdminStudio |
Under assessment |
Under assessment |
|
|
|
|
App Portal / App Broker |
Under assessment |
Under assessment |
|
|
|
|
Cloud Management Platform |
Under assessment |
Under assessment |
|
|
|
|
CloudScape / Foundation |
No |
No |
None |
N/A |
N/A |
|
Columbus |
No |
No |
None |
N/A |
N/A |
|
Data Platform |
No |
No |
None |
N/A |
N/A |
|
FlexNet Manager Suite On Premises |
No |
No |
None |
N/A |
N/A |
|
FlexNet Manager for Engineering Applications |
No |
No |
None |
N/A |
N/A |
|
Flexera One: |
|
|
|
|
|
|
Cloud Cost Optimization (Optima) |
No |
No |
None |
N/A |
N/A |
|
IT Asset Management |
No |
No |
None |
N/A |
N/A |
|
IT Visibility |
Under assessment |
Under assessment |
|
|
|
|
SaaS Management |
No |
No |
None |
N/A |
N/A |
|
Software Vulnerability Manager Cloud |
No |
No |
None |
N/A |
N/A |
|
Software Vulnerability Manager On Premises |
No |
No |
None |
N/A |
N/A |
|
Software Vulnerability Research |
No |
No |
None |
N/A |
N/A |
|
Spider |
No |
No |
None |
N/A |
N/A |
|
Technopedia |
No |
No |
None |
N/A |
N/A |
|
Workflow Manager |
Under assessment |
Under assessment |
|
|
|
The information on this page reflects:
- The assessed status of Flexera's SaaS systems.
- The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.
Related information
- OpenSSL Security Advisory [01 November 2022]
- OpenSSL 3.0 Series Release Notes
- OpenSSL Notice for CVE-2022-3602
- OpenSSL Notice for CVE-2022-3786
- OpenSSL Blog "CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows"
Change log
31 Oct, 2022 6:00 PM CST: Initial notice posted
1 Nov, 2022, 3:25 PM CST: Updated advisory due to the publication of OpenSSL version 3.0.7 and vulnerability details
2 Nov, 2022 10:15 PM CST: Updated advisory regarding CloudScape / Foundation, FlexNet Manager for Engineering Applications, Cloud Cost Optimization (Optima), Software Vulnerability Manager Cloud, Software Vulnerability Manager On Premises and Software Vulnerability Research
15 Nov, 2022 4:00 PM CST: Updated advisory regarding FlexNet Manager Suite On Premises and IT Asset Management
16 Nov, 2022 5:15 PM CST: Updated advisory regarding Data Platform and Technopedia
17 Nov, 2022 12:50 PM CST: Updated advisory regarding Columbus and Spider
21 Nov, 2022 4:00 PM CST: Updated advisory regarding SaaS Management
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Sustainable IT in a Hybrid Environment - Webinar Feb 14th, 2023 in Events and Webinars
- Security Advisory: Assessment of Flexera's products' exposure to Apache Commons Text RCE Vulnerability CVE-2022-42889 in Community Notices
- Security Advisory: Assessment of Flexera's products' exposure to Spring Framework RCE Vulnerability CVE-2022-22965 in Community Notices
- Identifying Apache Log4j JNDI Vulnerability “Log4Shell” and Variants (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104) in Community Notices
