|
|
|
|
|
|
by gjasny
1321 days ago
|
|
|
This is answered in their blog entry: https://www.openssl.org/blog/blog/2022/11/01/email-address-o... A: CVE-2022-3602 was originally assessed by the OpenSSL project as CRITICAL as
it is an arbitrary 4-byte stack buffer overflow, and such vulnerabilities may
lead to remote code execution (RCE).
During the week of prenotification, several organisations performed testing
and gave us feedback on the issue, looking at the technical details of the
overflow and stack layout on common architectures and platforms.
Firstly, we had reports that on certain Linux distributions the stack layout
was such that the 4 bytes overwrote an adjacent buffer that was yet to be used
and therefore there was no crash or ability to cause remote code execution.
Secondly, many modern platforms implement stack overflow protections which
would mitigate against the risk of remote code execution and usually lead to a
crash instead.
However as OpenSSL is distributed as source code we have no way of knowing how
every platform and compiler combination has arranged the buffers on the stack
and therefore remote code execution may still be possible on some platforms.
Our security policy states that a vulnerability might be described as CRITICAL
if “remote code execution is considered likely in common situations”. We no
longer felt that this rating applied to CVE-2022-3602 and therefore it was
downgraded on 1st November 2022 before being released to HIGH.
|
|
|