OpenSSL 3.0 Vulnerability - CVE-2022-3602 and CVE-2022-3786

OpenSSL 3.0 Vulnerability - CVE-2022-3602 and CVE-2022-3786

 OpenSSL released version 3.0.7 on Nov 1st, 2022 - patching two related vulnerabilities both currently rated as "High". Initially, CVE-2022-3602 was rated "Critical" and downgraded after analysis.
 
Currently, there are two production versions of OpenSSL:
OpenSSL 1.1.1 - not vulnerable. Latest version: 1.1.1s 
OpenSSL 3.0.x - vulnerable for x less than 7. Latest version: 3.0.7 (released in Nov/1/2022)
 
To check if your version is affected:
  1. Login as admin in CLI from NG Device
  2. Execute: shell sudo su -
  3. Execute: openssl version
 
Nodegrid OS version listed below use OpenSSL 3.0.x and are affected:
  1. v5.4.14 and older
  2. v5.6.6 and older
  3. ZPE strongly recommends upgrading all devices with Nodegrid OS 5.4.x and 5.6.x to 5.4.15 and 5.6.7 respectively. These released are expected on Nov/04.
  4. You can upgrade all devices using ZPE Cloud and/or via Cluster Management, if one of these features are available in your environment.

Nodegrid OS version listed below use OpenSSL 1.1.1 and are not affected by CVE-2022-3602 and CVE-2022-3786:
  1. v3.2.x
  2. v4.2.x
  3. v5.0.x
  4. v5.2.x

    • Related Articles

    • Is Nodegrid OS or ZPE Cloud affected by Apache Log4j vulnerabilities?

      CVE-2021-44228: While ZPE Systems has identified Nodegrid versions v4.2.x, v5.0x, v5.2.x to be possibly affected by the CVE-2021-44228, we could not yet confirm that the systems can be exploited.  Regardless, we released new version to fix such ...

    • How to report potential security vulnerabilities for ZPE products

      You can report potential security vulnerabilities via the PSIRT form or by sending email to psirt@zpesystems.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 2 business ...

    • Password Encryption for automation scripts

      For automation you may need to encrypt passwords for security reason. For example with ZTP/ansible or with ZPE Cloud you may have scripts to change a password. Openssl is the tool to use. The example below will encrypt your password with MD5-based ...

    • Install a X.509 Certificate from a Certificate Signing Request

      Generate a Certificate Signing Request Log in Nodegrid as root: ssh root@<Nodegrid_IP> Change directory to /etc/CA: cd /etc/CA Create a RSA key: openssl genrsa -out key.pem.new 2048 Create a Certificate Signing Request: openssl req -new -sha256 -key ...

    • How to Add Users to NodeGrid

      Adding new users via WebUI Log in as admin to the NodeGrid WebUI Click on Local Accounts A list of all users will be displayed on the User Names screen; Click on Add and the Local User Information screen will be displayed; Type a new user name and ...