OpenSSL.org released a blogpost announcement regarding the OpenSSL vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”) along with the OpenSSL 3.0.7 release.  The vulnerability has been downgraded from CRITICAL to HIGH.

Since MarkLogic family of products have not yet switched to OpenSSL 3.x, MarkLogic Server is NOT Impacted by this critical vulnerability.

For more details, please refer to https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

Original Article Content

(published 10/28/2022)

The OpenSSL project team announced the forthcoming release of OpenSSL version 3.0.7, expected to be available on Tuesday 1st November 2022 between 1300-1700 UTC.

At the time of this writing, MarkLogic understands that this release addresses a CRITICAL vulnerability that was discovered in the OpenSSL 3.x version stream and that it does not affect earlier versions of OpenSSL.  Since MarkLogic family of products have not yet switched to OpenSSL 3.x, we believe  MarkLogic Server is NOT Impacted by this critical vulnerability.

OpenSSL.org is expected to provide details regarding the vulnerability itself and potential exploits on Tuesday, November 1^st, along with the patch release.  Since this is a CRITICAL level vulnerability they are giving advance notice so organizations can be ready to act as soon as the patch is released.  If you want to receive announcements directly from OpenSSL.org, you can register here.