OpenSSL-2022
Operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3 (by NCSC-NL)
openssl-vuln-nov-2022
List of software impacted by OpenSSL 3.x Nov 2022 vulnerability (by pblumo)
OpenSSL-2022 | openssl-vuln-nov-2022 | |
---|---|---|
21 | 1 | |
531 | 11 | |
0.0% | - | |
10.0 | 3.2 | |
over 1 year ago | over 1 year ago | |
MIT License | GNU Affero General Public License v3.0 |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
OpenSSL-2022
Posts with mentions or reviews of OpenSSL-2022.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-11-01.
-
OpenSSL CVE Remediation?
NCSC-NL is keeping an up to list of affected software here: https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software. Salesforce is not mentioned but if their servers were using 3.0–3.6 I'd expect them to be upgraded already.
- M365 Defender Vulnerability Management - OpenSSL
- Overview of software (un)affected by the OpenSSL vulnerability
- List of software (un)affected by OpenSSL vulnerability
-
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
NCSC is calling it SpookySSL but I think it is just for funsies. https://github.com/NCSC-NL/OpenSSL-2022
- SSL RCE Vulnerability
- Security issue with OpenSSL
- OpenSSL 3.0.7 - CVE-2022-3602
-
OpenSSL 3.0.7 Published
I'm oversimplifying it a bit, but anything that hasn't reached stable this year is still using v1.1.1 (and therefore unaffected).
Ubuntu v22.04 is vulnerable, but any before it is not. Debian is good (except bookworm which is currently in testing), Fedora (<36) is good, RHEL/CentOS (<9), Arch...
So on top of being not as serious as Heartbleed, servers that are a bit longer in operation (but still well within their support cycle) don't need patching.
https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software
- Urgent: Patch OpenSSL on November 1 to avoid “Critical” Security Vulnerability - GlobalSign
openssl-vuln-nov-2022
Posts with mentions or reviews of openssl-vuln-nov-2022.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-11-01.
-
OpenSSL CVE: Overview of software (un)affected by vulnerability
Nice! thanks for sharing. Caring == sharing https://xeiaso.net/blog/openssl-3.x-secvuln-incoming https://github.com/pblumo/openssl-vuln-nov-2022/blob/main/list.csv https://mta.openssl.org/pipermail/openssl-announce/2022-October/ https://github.com/NCSC-NL/OpenSSL-2022 https://community.qualys.com/vulnerability-detection-pipeline/ https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192
What are some alternatives?
When comparing OpenSSL-2022 and openssl-vuln-nov-2022 you can also consider the following projects:
betterscan-ce - Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)
OpenSSL - TLS/SSL and crypto library
rustls - A modern TLS library in Rust
CVE-2022-3602