After analysing the vulnerability, we consider current releases of Cumulocity IoT Platform are not affected. However, if your microservices leverage vulnerable OpenSSL versions for the outbound TLS connections, it is advised to upgrade OpenSSL library to version 3.0.7.
Once we have further details, we will analyse the impact of the vulnerability in the context of the Cumulocity IoT Platform and take the necessary actions if required.
CVE: CVE-2022-3786, CVE-2022-3602 CVSS Score: N/A Vulnerability Details: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in the certificates to create a buffer overflow that could result in a crash (causing a denial of service) or potentially remote code execution. Severity: High Reference: https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html
• OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue. • OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7. • OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
The details published in the CVE are analysed in the context of Cumulocity IoT cloud and Cumulocity IoT Edge. After analysing the vulnerability, we consider current releases of Cumulocity IoT Platform are not affected. However, if your microservices leverage vulnerable OpenSSL versions for the outbound TLS connections, it is advised to upgrade OpenSSL library to version 3.0.7 as recommended above.
For updates regarding public Cumulocity IoT platforms that we operate, refer to the status page - https://status.cumulocity.com/.
Change log: 31st October 2022 - Initial Publication 02nd November 2022 – Advisory updated after CVE details were available.
Please be informed that OpenSSL has made an announcement about their forthcoming release of their next version, which will be released on Tuesday (1st Nov, 2022). This release is expected to include a fix for a HIGH security vulnerability.
Versions that are vulnerable: - OpenSSL versions 3.0 and above. - OpenSSL version 3.0.7 is expected to be released on Tuesday (1st Nov, 2022) with the fix for this vulnerability.
From our current analysis, the vulnerability does NOT impact the current GA versions of Cumulocity IoT Public Clouds, and Edge deployments, as the affected versions are not used in the Cumulocity platform.
Once we have further details, we will analyse the impact of the vulnerability in the context of the Cumulocity IoT Platform and take the necessary actions if required.