CVE-2022-3602 and CVE-2022-3786

WSO2 Products impacted: no

Customers actions required: no


The vulnerability is a memory corruption bug that can be triggered when a vulnerable client or server validates an X.509 certificate. A specially crafted email address abusing non-ASCII codepoints in a client or server certificate could exploit this vulnerability to achieve denial of service (DoS) or remote code execution (RCE)123. An attacker could exploit the vulnerability in any situation where a vulnerable application verifies an untrusted X.509 certificate (including TLS certificates).


WSO2 products are Java based applications. Java has its own TLS implementation 4 and does not use OpenSSL. Therefore, WSO2 products are not vulnerable to this CVE-2022-36021 or CVE-2022-37862.