OpenSSL 3 vulnerability (CVE-2022-3786 and CVE-2022-3602)

Description:

On the 1st of November 2022 the OpenSSL project released security updates marked with high priority for OpenSSL 3 (CVE-2022-3786 and CVE-2022-3602). There is a question and answer document published by the OpenSSL project that provides more detailed information. With this security advisory we aim to provide information on whether your OpenVPN software is affected, and if it is, how to resolve the issue.

OpenVPN Access Server uses the OpenSSL library that comes with the operating system. On most operating systems this is OpenSSL 1.1.1, and that is not affected by this security issue. If however you run Access Server on Ubuntu 22 or Red Hat 9 (or equivalent OS) it will be using the OpenSSL 3 library and you should remediate the situation by upgrading the OpenSSL 3 library in the operating system using the standard apt or yum tools. Guidance on the commands to perform to install updates on these operating systems are in the resolution section below.

CloudConnexa uses OpenSSL 1.1.1 and is therefore not affected.

OpenVPN Connect uses OpenSSL 1.1.1 and is therefore not affected.

OpenVPN GUI uses OpenSSL 1.1.1 and is therefore not affected.

OpenVPN community edition is affected by this issue if you use OpenSSL 3.

OpenVPN for Android is affected, and updating to version 0.7.42 resolves the issue.

Other programs that use OpenVPN may also be affected. We recommend to check with the software maintainer if it is affected and if there is an update available to resolve the issue.

Resolution:

To update packages on your operating system (including the OpenSSL 3 library) you can execute the update/upgrade commands as a user with root privileges.

For Ubuntu 22:

apt-get update
apt-get upgrade

For Red Hat 9 (or equivalent OS):

yum check-update
yum update

You can verify the version of OpenSSL now installed with this command:

openssl version

If you see a version like 1.1.1n then you are using OpenSSL 1.1.1 and are not affected by this issue. If you see a version that starts with a 3, check that the particular OpenSSL release for your operating system resolves CVE-2022-3786 and CVE-2022-3602.

It is advisable to restart the system after installing the OpenSSL update, to ensure that all processes will be using the new library. It is also possible to restart services individually, but a system restart will cover all services.