An update on the OpenSSL vulnerability CVE-2022-3602
Updated November 1, 2022
IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open source community disclosed for OpenSSl versions 3.0.0 - 3.0.6. We are taking action as an enterprise and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High.
Note: OpenSSL pre-announced on October 25, 2022, that OpenSSL 3.0.7 would fix a Critical vulnerability. Its vulnerability disclosure today downgraded the vulnerability to High.
IBM clients concerned about the applicability of this vulnerability to IBM products should, as with any other security vulnerability, continue to monitor IBM Product Security Central for product specific security bulletins and fixes.
References:
- OpenSSL Advisory: https://www.openssl.org/news/secadv/20221101.txt
- Security Bulletins for IBM Products: https://www.ibm.com/support/pages/bulletin/
- IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/collection/99583d384dc258bbba0b763afd60dc96
Updated October 31, 2022
IBM preparing to respond to upcoming OpenSSL vulnerability
October 31, 2022: IBM is preparing to respond to a reported critical vulnerability in OpenSSL (widely-used open source software) that is anticipated to be disclosed by the owning open source community on November 1, 2022.
IBM is investigating and taking proactive steps as an enterprise and for IBM products and services that may potentially be impacted, as we do of all critical vulnerabilities.
IBM recommends that you continue to monitor IBM Product Security Central for security bulletins published with product fixes.
IBM also recommends organizations running OpenSSL:
- Check for OpenSSL 3.0.0+ in your environments and applications
- Implement latest patch to production environments as soon as available from OpenSSL
- Monitor for vendor patches as they become available
References:
- Notices published by the OpenSSL community: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
- Security Bulletins for IBM Products: https://www.ibm.com/support/pages/bulletin/
- IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com