CVE-2022-3602 and CVE-2022-3786

WSO2 Products impacted: no

Customers actions required: no

REPORTED VULNERABILITY

The vulnerability is a memory corruption bug that can be triggered when a vulnerable client or server validates an X.509 certificate. A specially crafted email address abusing non-ASCII codepoints in a client or server certificate could exploit this vulnerability to achieve denial of service (DoS) or remote code execution (RCE)123. An attacker could exploit the vulnerability in any situation where a vulnerable application verifies an untrusted X.509 certificate (including TLS certificates).

WSO2 JUSTIFICATION

WSO2 products are Java based applications. Java has its own TLS implementation 4 and does not use OpenSSL. Therefore, WSO2 products are not vulnerable to this CVE-2022-36021 or CVE-2022-37862.

REFERENCES

  1. https://nvd.nist.gov/vuln/detail/CVE-2022-3602 

  2. https://nvd.nist.gov/vuln/detail/CVE-2022-3786 

  3. https://securitylabs.datadoghq.com/articles/openssl-november-1-vulnerabilities/#description 

  4. https://docs.oracle.com/javase/10/security/java-secure-socket-extension-jsse-reference-guide.htm#JSSEC-GUID-59EC25A8-4CE4-4D94-896B-8E6FB23C2838