This repo contains operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3.0.0-3.0.6. For more information see:

• OpenSSL Security Advisory
• OpenSSL Blogpost FAQ
• CERT-Bund advisory (DE)
• CISA advisory
• NCSC-NL advisory (NL)
• OpenSSL pre-notification
• OpenSSL release notification
• SANS Internet Storm Center Blogpost

OpenSSL is a library used for cryptographic purposes, especially in the field of network connections. For example, web servers often use OpenSSL to establish encrypted HTTPS connections. Mail servers and VPN protocols such as OpenVPN also use OpenSSL to establish encrypted communication channels. The library can be found in a broad array of products, including network devices, embedded systems and container images.

The vulnerability is present in products using OpenSSL 3.0.0-3.0.6. Products that use OpenSSL 1.0.2 or 1.1.1 are not affected.

Currently no complete overview of vulnerable products is available. Please see software/README.md for a list of products that are known to be vulnerable. The list is a work in progress. For more information about specific products, please refer to your supplier.

For up-to-date information about patches and mitigations, please refer to your product vendor.

There are currently no known IoCs that indicate exploitation of this vulnerability. IoCs will be shared - when possible - through this repository. For network detection rules please see iocs_detection/README.md.

We would like to thank every single one that provided source information or whom contributed to our GitHub page.

Below we present a very incomplete list of contributants or sources we consider the repository's hall of fame:

• SANS
• SURFcert
• @jspaans
• @robert-scheck
• @RobinFlikkema
• @fox-srt
• @Royce Williams