【Azure 环境】Azure 云环境对于OpenSSL 3.x 的严重漏洞(CVE-2022-3602 和 CVE-2022-3786)的处理公告

缓冲区溢出可以在 X.509 证书验证中触发，特别是在名称约束检查中。

请注意，这发生在证书链签名验证之后，并且要求 CA 已对恶意证书进行签名，或者要求应用程序继续证书验证，尽管无法构造指向受信任颁发者的路径。
攻击者可以手工创建恶意电子邮件地址，使堆栈上四个攻击者控制的字节溢出。此缓冲区溢出可能导致崩溃（导致拒绝服务）或可能远程执行代码。许多平台都实现了堆栈溢出保护，以降低远程代码执行的风险。根据任何给定平台/编译器的堆栈布局，可以进一步降低风险。

CVE-2022-3602 的预公告将此问题描述为“严重”。基于上述一些缓解因素的进一步分析导致其降级为HIGH。我们仍鼓励用户尽快升级到新版本。

在 TLS 客户端中，可以通过连接到恶意服务器来触发此操作。

在 TLS 服务器中，如果服务器请求客户端身份验证并且恶意客户端连接，则可以触发此操作。

在 OpenSSL 3.0.7 中修复（受影响的 3.0.0、3.0.1、3.0.2、3.0.3、3.0.4、3.0.5、3.0.6）。

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.

Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler.

Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible.

In a TLS client, this can be triggered by connecting to a malicious server.

In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).