search

CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)

Updated: Nov 1st, 2022 22:53 UTC

hashtag
Background

In an official statementarrow-up-right, the OpenSSL project team announced the forthcoming release of their next version which was released on Tuesday November 1st 2022. This release includes a fix for a security vulnerability, originally marked as critical but lowered to HIGH.

Additional information can be found in this blogarrow-up-right.

hashtag
Protecting your application

hashtag
CloudGuard WAF's AppSec Gateway and CloudGuard WAF deployments for docker and Kubernetes

If all traffic to your application is routed through CloudGuard WAF, your application is secure even when your protected web server uses a vulnerable OpenSSL library, without any updates.

You do need to follow the instructions below to ensure that communication between CloudGuard WAF and Check Point cloud is using a patched OpenSSL version.

hashtag
CloudGuard WAF for Linux (Embedded Agent)

Make sure that OpenSSL version used by a Server to which you added an Embedded Agent is using a non-vulnerable version of OpenSSL.

hashtag
Updates to CloudGuard WAF

circle-exclamation

Please see as follows regarding required actions items when using CloudGuard WAF.

hashtag
CloudGuard WAF's Gateways (VMWare, AWS, Azure) and CloudGuard WAF for Linux (Embedded Agent)

We released a new agent version with the patched OpenSSL version. The new agent version is 432762 (v1.2244.432762-hotfix-01-11-22).

circle-check

Important to note - The vulnerable openSSL version is used by the CloudGuard WAF agent as an SSL client, whereas the vulnerability mainly impacts server-side SSL.

  • If your agent upgrade Mode is set to Automatic, you will get the fix automatically. To validate that your agents are upgraded, browse to Cloud->Agents and verify the “Latest Version” Column is checked - see example below.

  • If your agent upgrade Mode is set to Manual, you need to browse to Cloud->Profiles, edit your profile objects and click on “Upgrade Now” (there is no expected downtime when doing this upgrade). It will appear like this:

CloudGuard WAF's AppSec Gateway's pre-packaged NGINX is using an OpenSSL version which is not vulnerable.

hashtag
CloudGuard WAF Docker

CloudGuard WAF Docker and pre-packaged NGINX with Attachment are using an OpenSSL version which is not vulnerable.

hashtag
CloudGuard WAF for Kubernetes Ingress

CloudGuard WAF deployment package does not bring OpenSSL, but rather installs one during setup. Unless manual changes were done, the default OpenSSL library installed during deployment will be 1.1.1, which is not vulnerable.

hashtag
CloudGuard WAF

Check Point is working with our public cloud providers to make sure that all cloud components are properly patched as well as our own software running in the cloud.

PreviousEvents/Logs SchemaNextCVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)

Last updated

Was this helpful?