Broadcom Agile Operations Software Security Advisory for OpenSSL 2022-11-01 Vulnerabilities
Broadcom Agile Operations Software Security Advisory for OpenSSL 2022-11-01 Vulnerabilities
Issued: November 1, 2022, 1800 UTC
Updated: November 8, 2022, 0500 UTC
Broadcom Agile Operations Software is investigating two OpenSSL 3.x vulnerabilities that were disclosed by the OpenSSL Project on 2022-11-01. The first vulnerability, X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), has a High risk rating, and could result in a denial of service or remote code execution. The second vulnerability, X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786), has a High risk rating, and could result in a denial of service. The OpenSSL Project has addressed these vulnerabilities in version 3.0.7. OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to both issues. In addition to checking this advisory for updates, and checking individual product support pages for updates, you may open a support case.
Risk Rating
CVE: CVE-2022-3602 - High
CVSS 3.1 Score: 7.5
CVSS Vector: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2022-3786 - High
CVSS 3.1 Score: 7.5
CVSS Vector: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
Dollar Universe - https://knowledge.broadcom.com/external/article/253361
Products Under Investigation
none
Non-Affected Products that include OpenSSL
AppWorks (Automic Applications Manager, Rapid Automation Banner Agent) - https://knowledge.broadcom.com/external/article/253363
Automic Automation - https://knowledge.broadcom.com/external/article/253350
Automic Continuous Delivery Automation - https://knowledge.broadcom.com/external/article/253350
AutoSys Workload Automation - https://knowledge.broadcom.com/external/article/253268
Clarity - https://knowledge.broadcom.com/external/article/253701
NetOps / AppNeta - https://knowledge.broadcom.com/external/article/253346
NetOps / Mediation Manager (CAMM) - https://knowledge.broadcom.com/external/article/253304
NetOps / Network Flow Analysis (NFA) - https://knowledge.broadcom.com/external/article/253304
NetOps / Performance Management (PM) - https://knowledge.broadcom.com/external/article/253304
NetOps / Spectrum - https://knowledge.broadcom.com/external/article/253304
Rally Adapter for Jira
Rally onPrem
Rally SaaS
Sysload
System Performance for IM
SystemEDGE
Virtual Assurance for IM
Workload Automation Agents - https://knowledge.broadcom.com/external/article/253265
Non-Affected Products that do not include OpenSSL
Automation Intelligence - https://knowledge.broadcom.com/external/article/253358
ESP dSeries Workload Automation - https://knowledge.broadcom.com/external/article/253267
NetOps / CABI - https://knowledge.broadcom.com/external/article/253304
DX NetOps Kafka - https://knowledge.broadcom.com/external/article/253304
DX NetOps OI Connector - https://knowledge.broadcom.com/external/article/253304
NetOps / Virtual Network Assurance (VNA) - https://knowledge.broadcom.com/external/article/253304
Workload Automation iXP - https://knowledge.broadcom.com/external/article/253269
References
Broadcom Mainframe Software Security Advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21015
Symantec Security Advisory (SED, IMS, former AOD products): https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/21016
Brocade Security Advisory: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-2115
CVE:
https://www.cve.org/CVERecord?id=CVE-2022-3602
https://www.cve.org/CVERecord?id=CVE-2022-3786
NVD:
https://nvd.nist.gov/vuln/detail/CVE-2022-3786
https://nvd.nist.gov/vuln/detail/CVE-2022-3602
OpenSSL Vulnerabilities page: https://www.openssl.org/news/vulnerabilities.html
OpenSSL Security Advisory [01 November 2022]: https://www.openssl.org/news/secadv/20221101.txt
OpenSSL Blog - CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
Change History
Version 1.0: 2022-11-01 1800 UTC - Initial Release
Version 1.1: 2022-11-01 1830 UTC - Added CVSS scores and vectors. Moved Dollar Universe to Affected.
Version 1.2: 2022-11-01 1900 UTC - Added AppWorks url.
Version 1.3: 2022-11-01 2100 UTC - Added and changed multiple URLS; clarified that CVSS scores include Temporal metric.
Version 1.4: 2022-11-02 2130 UTC - Added and changed multiple URLS; updates for multiple products; updated CVSS scores; changed risk rating to Critical.
Version 1.5: 2022-11-03 0200 UTC - All Rally products are not affected.
Version 1.6: 2022-11-08 0500 UTC – Added Clarity url; lower CVSS score for CVE-2022-3602.
Broadcom Software customers may receive product alerts and advisories by subscribing to Proactive Notifications.
Customers who require additional information about this notice may contact Broadcom Software Support at https://support.broadcom.com/.
Copyright © 2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, CA Technologies and the CA technologies logo are among the trademarks of Broadcom. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.