This brief video from the Red Hat Product Security Team discusses the two recent CVEs that impact OpenSSL versions 3.0.0 - 3.0.6.

On November 1, 2022, the security team at OpenSSL published an advisory about CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”).

These two vulnerabilities only affect Red Hat Enterprise Linux (RHEL) version 9 and Red Hat Universal Base Image 9. Red Hat Enterprise Linux versions 8 and below are based on OpenSSL version 1.x and are not affected by this vulnerability.

Red Hat Product Security has rated these vulnerabilities as “Important” and Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as erratas are available.

For more information, refer to the security bulletin at: https://access.redhat.com/security/vulnerabilities/RHSB-2022-004