- Out-of-Cycle Juniper Security Advisory Released
- Cisco Releases Security Updates for Multiple Products
- OpenSSL Releases Security Update
- Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies
- VMware Releases Security Updates
High severity security issues resolved in OpenSSL 3.0.7 (CVE-2022-3602, CVE-2022-3786)
Multiple buffer overrun vulnerabilities in OpenSSL 3.0 prior to OpenSSL 3.0.7 can be triggered in X.509 certificate verification, specifically in name constraint checking.
These issues affect Juniper Networks Junos OS Evolved versions later than 22.1R1-EVO.
These issues do not affect:
- Juniper Networks Junos OS Evolved versions prior to 22.1R1-EVO;
- Juniper Networks Junos OS;
- Juniper Networks Mist;
- Juniper Networks CTPOS;
- Juniper Networks CTPView;
- Juniper Networks 128T (Session Smart Router);
- Juniper Networks SBR Carrier;
- Juniper Networks Paragon Active Assurance (formerly Netrounds).
It also only affects OpenSSL 3.0.0 and later releases. Earlier versions, such as OpenSSL 0.9.x, 1.0.x and 1.1.x, are unaffected by these vulnerabilities.
Other products and platforms are still under investigation.
An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
Software will be updated to resolve these two issues by upgrading OpenSSL to 3.0.7 in all affected product, platforms, and releases.
Until the updates are released, we recommend that, since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos OS Evolved may include:
- Disabling J-Web
- Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
- Limit access to J-Web and XNM-SSL from only trusted networks
Due to the nature of this specific vulnerability, in addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit management access to the device via only from trusted, administrative networks or hosts.
2022-11 Out of Cycle Security Bulletin:
Cisco has released security updates for multiple products.
Multiple current versions of Cisco products contain vulnerabilities.
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
We encourage users and administrators to review the advisories and apply the necessary updates, per Cisco’s recommendations.
CISA Security Advisory page:
Cisco Security Advisory page:
Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022:
OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.
Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service.
A buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution
CISA security advisory:
2022 OpenSSL vulnerability – CVE-2022-3602 GitHub repository:
Open SSL 3.0.7 Announcement:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Understanding and Responding to Distributed Denial-of-Service Attacks to provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.
The guidance is for both network defenders and leaders to help them understand and respond to DDoS attacks
DDoS attacks can cost an organization time, money, and reputational damage.
Concurrently, CISA has released Capacity Enhancement Guide (CEG): Additional DDoS Guidance for Federal Agencies, which provides federal civilian executive branch (FCEB) agencies additional DDoS guidance, including recommended FCEB contract vehicles and services that provide DDoS protection and mitigations.
We encourage all network defenders and leaders to review:
- Joint guide: Understanding and Responding to Distributed Denial-of-Service Attacks
- CEG: Additional DDoS Guidance for Federal Agencies
- Tip: Understanding Denial-of-Service Attacks
Joint guide: Understanding and Responding to Distributed Denial-of-Service Attacks:
CEG: Additional DDoS Guidance for Federal Agencies:
Tip: Understanding Denial-of-Service Attacks:
Link to CISA advisory:
VMware has released security updates.
To address multiple vulnerabilities in VMware Cloud Foundation.
A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
We encourage organizations to review VMware Security Advisory VMSA-2022-002 and apply the necessary updates and workarounds.
CISA Bulletin: VMware Releases Security Updates: