CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)

Updated: Nov 1st, 2022 22:53 UTC

Background

In an official statement, the OpenSSL project team announced the forthcoming release of their next version which was released on Tuesday November 1st 2022. This release includes a fix for a security vulnerability, originally marked as critical but lowered to HIGH.

Additional information can be found in this blog.

Protecting your application

CloudGuard WAF's AppSec Gateway and CloudGuard WAF deployments for docker and Kubernetes

If all traffic to your application is routed through CloudGuard WAF, your application is secure even when your protected web server uses a vulnerable OpenSSL library, without any updates.

You do need to follow the instructions below to ensure that communication between CloudGuard WAF and Check Point cloud is using a patched OpenSSL version.

CloudGuard WAF for Linux (Embedded Agent)

Make sure that OpenSSL version used by a Server to which you added an Embedded Agent is using a non-vulnerable version of OpenSSL.

Updates to CloudGuard WAF

Please see as follows regarding required actions items when using CloudGuard WAF.

CloudGuard WAF's Gateways (VMWare, AWS, Azure) and CloudGuard WAF for Linux (Embedded Agent)

We released a new agent version with the patched OpenSSL version. The new agent version is 432762 (v1.2244.432762-hotfix-01-11-22).

Important to note - The vulnerable openSSL version is used by the CloudGuard WAF agent as an SSL client, whereas the vulnerability mainly impacts server-side SSL.

  • If your agent upgrade Mode is set to Automatic, you will get the fix automatically. To validate that your agents are upgraded, browse to Cloud->Agents and verify the “Latest Version” Column is checked - see example below.

CloudGuard WAF's AppSec Gateway's pre-packaged NGINX is using an OpenSSL version which is not vulnerable.

CloudGuard WAF Docker

CloudGuard WAF Docker and pre-packaged NGINX with Attachment are using an OpenSSL version which is not vulnerable.

CloudGuard WAF for Kubernetes Ingress

CloudGuard WAF deployment package does not bring OpenSSL, but rather installs one during setup. Unless manual changes were done, the default OpenSSL library installed during deployment will be 1.1.1, which is not vulnerable.

CloudGuard WAF

Check Point is working with our public cloud providers to make sure that all cloud components are properly patched as well as our own software running in the cloud.

Last updated