Greetings from the VMware Security Response Center!
On November, 1st 2022 the OpenSSL Project disclosed CVE-2022-3602 and CVE-2022-3786 – potentially critical severity vulnerabilities present in OpenSSL 3.0.x.
The VMware Security Response Center (vSRC) has been working with our various product engineering teams in an attempt to determine if the small subset of VMware products that ship with OpenSSL 3.0.x are vulnerable to exploitation via CVE-2022-3602 and CVE-2022-3786.
To date, no VMware products have been found to be critically impacted by CVE-2022-3602 or CVE-2022-3786. Regardless, VMware products that consume OpenSSL 3.0.x will consume 3.0.7 fixes as a precautionary measure in upcoming releases.
Note that the original ‘forthcoming release announcement’ provided by the OpenSSL Project had described CVE-2022-3602 and CVE-2022-3786 as a single vulnerability of ‘Critical’ severity but it has now been downgraded to ‘High’ and split into two separate vulnerabilities. This does not change VMware’s evaluation as our investigations expected these issues would be chained together.
Investigations are ongoing as this is a developing event. If any currently supported VMware products are found to be critically impacted by CVE-2022-3602 and CVE-2022-3786 a VMware Security Advisory (VMSA) will be published documenting the required call to action for impacted product(s).
Sign up to be alerted when VMSAs are published or updated on our main advisory page by clicking “Sign up for Security Advisories” here: https://www.vmware.com/security/advisories.html
For more information on the VMware Security Response Center and our policies please see: https://www.vmware.com/support/policies/security_response.html
November 1st 2022: Initial publication.