# CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
### Background
In an official [statement](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html), the OpenSSL project team announced the forthcoming release of their next version which was released on Tuesday November 1st 2022. This release includes a fix for a security vulnerability, originally marked as critical but lowered to HIGH.
Additional information can be found in [this blog](https://blog.checkpoint.com/2022/10/30/openssl-gives-heads-up-to-critical-vulnerability-disclosure-check-point-alerts-organizations-to-prepare-now/).
### Protecting your application
#### CloudGuard WAF's AppSec Gateway and CloudGuard WAF deployments for docker and Kubernetes
If all traffic to your application is routed through CloudGuard WAF, your application is secure even when your protected web server uses a vulnerable OpenSSL library, without any updates.
You do need to follow the instructions below to ensure that communication between CloudGuard WAF and Check Point cloud is using a patched OpenSSL version.
#### CloudGuard WAF for Linux (Embedded Agent)
Make sure that OpenSSL version used by a Server to which you added an Embedded Agent is using a non-vulnerable version of OpenSSL.
### Updates to CloudGuard WAF
{% hint style="warning" %}
Please see as follows regarding required actions items when using CloudGuard WAF.
{% endhint %}
#### **CloudGuard WAF's Gateways (VMWare, AWS, Azure) and CloudGuard WAF for Linux (Embedded Agent)**
We released a new agent version with the patched OpenSSL version. The new agent version is **432762** (**v1.2244.432762-hotfix-01-11-22).**
{% hint style="success" %}
**Important to note** - The vulnerable openSSL version is used by the CloudGuard WAF agent as an SSL client, whereas the vulnerability mainly impacts server-side SSL.
{% endhint %}
* **If your agent upgrade Mode is set to Automatic, you will get the fix automatically.** \
To validate that your agents are upgraded, browse to Cloud->Agents and verify the “Latest Version” Column is checked - see example below.
* **If your agent upgrade Mode is set to Manual**, **you need to browse to Cloud->Profiles, edit your profile objects and click on “Upgrade Now”** (there is no expected downtime when doing this upgrade). It will appear like this:\
\
CloudGuard WAF's AppSec Gateway's pre-packaged NGINX is using an OpenSSL version **which is not vulnerable**.
#### **CloudGuard WAF Docker**
CloudGuard WAF Docker and pre-packaged NGINX with Attachment are using an OpenSSL version **which is not vulnerable**.
#### **CloudGuard WAF for Kubernetes Ingress**
CloudGuard WAF deployment package does not bring OpenSSL, but rather installs one during setup. Unless manual changes were done, the default OpenSSL library installed during deployment will be 1.1.1, **which is not vulnerable**.
### **CloudGuard WAF**
Check Point is working with our public cloud providers to make sure that all cloud components are properly patched as well as our own software running in the cloud.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waf-doc.inext.checkpoint.com/references/cve-2022-3786-and-cve-2022-3602-openssl-x.509-email-address-buffer-overflows-high.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
