DriveLock Online Help

Security Bulletin #22-005 - OpenSSL 3.0 external library vulnerability

First published: 4th November 2022
Last updated: 4th November 2022
Severity: None

Summary

Two vulnerabilities have been found in the implementation of OpenSSL. This affects the following supported DriveLock products (supported by the time this bulletin was created):

No DriveLock product is affected

Description

The detected vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in OpenSSL allow execution of arbitrary code using a buffer overrun which can be triggered in X.509 certificate verification, specifically in name constraint checking.

References

OpenSSL: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-3602
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-3786

Mitigation

Drivelock cannot be targeted using these exploits.

How to update your environment

Customers do not need to update their environment.
Nevertheless we always recommend to use the latest available version.