Skip to main content

High Severity vulnerability present in OpenSSL version 3.x

The Australian Cyber Security Centre (ACSC) is aware of a buffer overrun and buffer overflow vulnerability in OpenSSL versions above to 3.0. All Australian organisations using version 3.x should apply the available patch immediately.

Alert status
HIGH

Background / What has happened?

A buffer overflow vulnerability (CVE-2022-3786) and a buffer overrun vulnerability (CVE-2022-3602) has been identified in OpenSSL versions above 3.x.

OpenSSL is a widely used cryptographic and secure communication software library. OpenSSL is available on all Operating Systems (OS).

Exploitation of this vulnerability could allow a malicious actor to gain remote code execution rights on the host running OpenSSL and perform unauthorised actions. Additionally, a malicious email address can be crafted to exploit the vulnerabilities and cause a crash (denial of service).

Affected Australian organisations should apply the available patch immediately.

The ACSC is not aware of any successful exploitation attempts against Australian organisations.

Mitigation / How do I stay secure?

Australian organisations that use OpenSSL versions avove 3.x should review their patch status and update to the latest version. There are no known workarounds.

3rd Party vendor software may use OpenSSL and consultation should occur to patch the vulnerabilities.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and can provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1.

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it