Discover Cryptography News
OpenSSL Dodges a Security Bullet
The critical security vulnerability turned out to be two serious vulnerabilities. Still, they need patching ASAP.
At first, it looked like the OpenSSL 3.x security bug was going to be truly awful. While it was feared to be a critical error that could lead to remote code execution (RCE), upon a closer examination it turned out to be not so horrid after all.
That's not to say it isn't bad. Both CVE-2022-3786 ("X.509 Email Address Variable Length Buffer Overflow") and CVE-2022-3602 ("X.509 Email Address 4-byte Buffer Overflow") have a CVE rating of 8.8, which is considered "high." That means they could still cause you real trouble.