The OpenSSL Project has announced the release of OpenSSL 3.0.7. Everyone was waiting with bated breath to hear the specifics of the first serious vulnerability found since 2016, but the project’s developers chose to reduce the vulnerability’s severity level.
Last week, the OpenSSL Project disclosed that a critical vulnerability in OpenSSL 3.0 would be fixed by an update. A buffer overrun vulnerability known as CVE-2022-3602 has been identified in X.509 certificate verification that can be exploited. Exploiting the flaw could result in remote code execution or a denial-of-service (DoS) condition brought on by a crash.
The advisory for CVE-2022-3602 states that “An attacker can create a malicious email address to overflow four attacker-controlled bytes on the stack.”