Overview
The OpenSSL Project has released a security fix, in version 3.0.7, which has been categorized as “HIGH” and affects version 3.0.0 to 3.0.6. The advisory can be found here and has been split into two CVEs:
-
X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602)
-
X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)
CodeSentry SCA can help find the usage of OpenSSL, flagging the currently affected versions. Please liaise with your sales representative or email sales@codesecure.com. We've also written a blog post on this topic, see here.
CodeSonar 7 Family
We have analyzed CodeSonar and determined that versions 7.0 and 7.1 rely on a vulnerable version of OpenSSL. Our upcoming release, CodeSonar 7.2 will be patched to remediate this risk. Earlier versions that are vulnerable will be patched based on the schedule below.
Older Versions of CodeSonar
Versions released prior to CodeSonar 7.0 used OpenSSL 1.1.1 and are not vulnerable to this exploit.
Patched Installer Updates
The following timelines for patched releases can be found below.
Version |
Patch Release Date |
7.1 |
22nd November |
7.0 |
22nd November |
6.x |
Not affected |
We recommend that you check this page regularly for updates on the schedule. Our current supported versions of CodeSonar can be found here.
Questions
No. If customers are not using HTTPS or TLS mode with Postgres or MASTER_USE_TLS then you can continue to use these hubs. If customers are running servers but those servers are only exposed on their intranet, and they trust the people on their intranet, and their intranet is secure, then you should not be concerned.
Note: the above does not apply if, someone has compromised your intranet or if a hub is running HTTPS and you have not accounted for it being enabled.
Info
We recommend you follow the support advisory section so any new content added in the future will trigger an email to your inbox.