OpenSSL 3.0.7 Addresses Critical X.509 Email Address Buffer Overflows
The OpenSSL Project shipped version 3.0.7 on November 1, 2022 to patch two high-severity buffer overflow vulnerabilities (CVE-2022-3602 and CVE-2022-3786) that could trigger remote code execution during certificate verification.
Executive briefing: On the OpenSSL Project released OpenSSL 3.0.7, resolving X.509 email address buffer overflow vulnerabilities affecting OpenSSL 3.0.0–3.0.6. Crafted certificates could cause stack or heap overflows during name constraint checking, potentially enabling remote code execution or denial of service in TLS clients and servers that perform certificate validation.
Vulnerability details
- CVE-2022-3602. A four-byte stack overflow triggered after certificate chain verification before certificate signatures are validated.
- CVE-2022-3786. A buffer overflow via crafted Punycode-encoded email addresses that can result in DoS or code execution depending on stack layout.
- Exposure scope. Only OpenSSL 3.0.x builds are affected; OpenSSL 1.1.1 and LibreSSL are not impacted.
Mitigation guidance
- Upgrade to OpenSSL 3.0.7 (or vendor-patched packages) and redeploy dependent applications, containers, and appliances.
- Harden certificate validation pipelines by enforcing certificate revocation and filtering untrusted certificate authorities during rollouts.
- Inventory embedded OpenSSL usage across workloads, CI/CD runners, and edge devices to ensure patched libraries are promoted through release pipelines.