Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory November 2022 – OpenSSL

Security advisory November 2022 – OpenSSL

Avatar
Branislav Repcek
  • Updated
Follow

Last updated date: 2nd November 2022

Advisory publication date: 1st November 2022

 

Summary

This advisory provides information about two high severity vulnerabilities that were disclosed by OpenSSL on 1st November 2022 and about how these two vulnerabilities affect CloverDX. OpenSSL project provided a bugfix release OpenSSL 3.0.7 which was released at the same time as vulnerability details on 1st November 2022.

CloverDX is not affected by these two vulnerabilities since OpenSSL is not bundled with CloverDX Server or Designer.

However, certain deployments of CloverDX Server may be affected if their SSL configuration has been changed from the default.

Am I affected?

OpenSSL is not part of CloverDX distribution; however, it may be used by your application server when configured to publish CloverDX Server Console via HTTPS. Review the section for your application server to see whether it is used or not.

Apache Tomcat

By default, Tomcat does not use OpenSSL when creating HTTPS connectors. It can be configured to do so in its server.xml file. Your deployment will be affected if all three conditions below are true:

  1. Connector in the server.xml file is configured with protocol=org.apache.coyote.http11.Http11AprProtocol. By default, Tomcat uses JSSE library – a pure Java implementation that does not depend on OpenSSL. Please note that APR connector that uses native OpenSSL is deprecated in Tomcat 9 and therefore should not be used.
  2. Connector in the server.xml file is configured with SSLEnable = true.
  3. You are using OpenSSL version 3.0.x (versions 3.0.0 to 3.0.6, versions 1.x are not vulnerable). To verify the version of OpenSSL, you can run the following command: openssl version.

If all three conditions above are met on your system, then your deployment is vulnerable.

VMware tc Server

tc Server is based on Apache Tomcat and to determine if you are vulnerable, you can follow the steps described above in Apache Tomcat section.

Red Hat JBoss Web Server

JBoss Web Server is based on Apache Tomcat and to determine if you are vulnerable, you can follow the steps described above in Apache Tomcat section.

Oracle WebLogic Server

Oracle Weblogic Server does not use OpenSSL in its default configuration and should not be affected by the vulnerability.

Red Hat JBoss EAP

JBoss EAP does not use OpenSSL by default, but it can be configured to do so. To quickly check whether your JBoss instance is using OpenSSL, you can review your server.log file and look for the following pattern:

[org.wildfly.openssl.SSL] (MSC service thread 1-3) WFOPENSSL0002 OpenSSL Version OpenSSL 1.0.2h-fips 3 May 2016

The version of OpenSSL is printed as part of the message. The version must be 3.0.x (versions 3.0.0 to 3.0.6) for your instance to be affected by the vulnerability.

IBM WebSphere 9

IBM WebSphere 9 does not use OpenSSL in its SSL implementation (it uses JSSE) and as such is not affected by OpenSSL vulnerabilities.

Open Liberty

Open Liberty does not bundle OpenSSL and when configured to use SSL it will use JSSE which does not depend on OpenSSL.

Azure Marketplace offer

Our Azure marketplace offer does not use vulnerable version of OpenSSL in its default configuration. To verify configuration, follow instructions for Apache Tomcat application server described above.

AWS Marketplace offer

Our AWS Marketplace offer does not use vulnerable version of OpenSSL in its default configuration. To verify configuration, follow instructions for Apache Tomcat application server described above.

Docker

If you are using our Dockerfile (see GitHub for more details) to deploy CloverDX Server, you will not be affected by the vulnerability in the default configuration. Docker image uses Apache Tomcat and by default disables SSL. To check the settings, follow steps for Apache Tomcat described above.

CVE ID

  • CVE-2022-3602

What you need to do

CloverDX is not affected by the vulnerability directly and there is no need to upgrade your instances. However, the environment around CloverDX Server can be affected by the vulnerability. To determine if you’re affected, review the “Am I affected?” chapter for more information.

If you are affected (regardless of the application server), you must upgrade your OpenSSL version. This is usually done by updating your system to the latest version since OpenSSL tends to be installed as a system library.

 

Additional information

CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH.

Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

CVE-2022-3786

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the “.” character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

References

Update history

  • 2022-11-02 – Additional information about vulnerabilities added, text clarification.
  • 2022-11-01 – This advisory was first published.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory August 2024 Security advisory April 2023 Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – Text4Shell Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021 Security advisory April 2021