* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* OpenSSL Vulnerability Rat...

# OpenSSL Vulnerability Rating Downgraded to High

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprepare-openssl-vulnerability%2F)  
[](https://twitter.com/share?text=OpenSSL+Vulnerability+Rating+Downgraded+to+High&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprepare-openssl-vulnerability%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprepare-openssl-vulnerability%2F&title=OpenSSL+Vulnerability+Rating+Downgraded+to+High&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/prepare-openssl-vulnerability/&ts=markdown)  
\[\](mailto:?subject=OpenSSL Vulnerability Rating Downgraded to High)  
Link copied  
By [Hari Srinivasan](https://www.paloaltonetworks.com/blog/author/hari-srinivasan/?ts=markdown "Posts by Hari Srinivasan"), [Daniel Prizmant](https://www.paloaltonetworks.com/blog/author/daniel-prizmant/?ts=markdown "Posts by Daniel Prizmant"), [Taylor Smith](https://www.paloaltonetworks.com/blog/author/taylor-smith/?ts=markdown "Posts by Taylor Smith") and [Ariel Zelivansky](https://www.paloaltonetworks.com/blog/author/ariel-zelivansky/?ts=markdown "Posts by Ariel Zelivansky")  
Oct 29, 2022  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)  
[OpenSSL](https://www.paloaltonetworks.com/blog/tag/openssl/?ts=markdown)

## **High Security Vulnerability in OpenSSL: **CVE-2022-3602 and CVE-2022-3786****

On Tue Oct 25, the OpenSSL project team released an [advisory](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html) announcing the forthcoming release of OpenSSL version 3.0.7. The advisory was issued to call attention to a critical vulnerability in OpenSSL versions between 3.0.0 and 3.0.6. The OpenSSL 3.0.7 release will be available on Tuesday, November 1, 2022. The Prisma Cloud security research team is actively monitoring the vulnerability and security fix release.

## **Update: 11/01/2022**

On November 1, 2022 the OpenSSL project team released the patch notes for OpenSSL 3.0.7 as [anticipated](https://www.openssl.org/news/secadv/20221101.txt). The full [security advisory](https://www.openssl.org/news/secadv/20221101.txt) for what are now known as CVE-2022-3602 and CVE-2022-3786 was also released.

According to the advisory, the vulnerabilities lie in the parsing mechanism of the email address during the name constraint checking. An attacker would need to craft a special malicious email address to trigger the vulnerability. For an attacker to leverage this vulnerability, though, they would need either an installed CA (certificate authority) to have signed their malicious certificate containing their specially crafted email address or for an OpenSSL instance to continue certificate verification despite failure to construct a path to a trusted issuer. These two conditions make exploitation of the vulnerabilities unlikely.

The vulnerabilities, which were initially rated Critical severity, have been downgraded to High severity. Their impact could range from denial of service of the affected instance or, depending on some prerequisites, remote code execution (RCE).

### User Action Required

The Prisma Cloud Intelligence Stream is updated regularly to include known information regarding vulnerabilities. At this time, users should upgrade all OpenSSL instances between 3.0.0 and 3.0.6 to version 3.0.7.

This blog post will continue to be updated to describe relevant protections for Prisma Cloud users.

## **OpenSSL Overview**

OpenSSL, first released in 1998, is an open-source cryptography library with a wide variety of applications around the SSL and TLS protocols. OpenSSL allows users to perform various SSL-related tasks, such as private keys generation, CSR (Certificate Signing Request), SSL certificate installation, and more.

Most Linux distributions come with OpenSSL pre-compiled, which makes a vulnerability in this component so dangerous, particularly considering the thousands of companies around the world that use OpenSSL daily. Many readers will remember a vulnerability dubbed [Heartbleed](https://www.paloaltonetworks.com/blog/2014/04/real-world-impact-heartbleed-cve-2014-0160-web-just-start/) that shook the world with its pervasive impact. Although some entertained concerns that this new vulnerability would have a similar widespread impact, that fortunately will not be the case.

## **Who Is Potentially Affected?**

Any OpenSSL versions between 3.0.0 and 3.0.6, as well as any application that uses an impacted OpenSSL library, is vulnerable. OpenSSL v3 only comes standard with the newest Linux distributions, such as Ubuntu 22.04 or RHEL 9, so most Linux machines aren't running the latest version of OpenSSL and won't be affected.

## **Prepare for the Update Using Prisma Cloud**

Prisma Cloud users can prepare by inventorying the workloads with OpenSSL packages.

Use Vulnerability Explorer to search for workloads with the vulnerability.
![Identify vulnerabilities in your cloud-native environment using Prisma Cloud's Vulnerability Explorer.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-5.png "OpenSSL Vulnerability remediation")
Identify vulnerabilities in your environment using Vulnerability Explorer.

Determine if your images, containers, and hosts have OpenSSL packages by querying the Package Information. Prisma Cloud provides an asset's complete [software bill of materials (SBOM)](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom).
![OpenSSL Vulnerability and SBOM](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/10/word-image-69.png "OpenSSL Vulnerability and SBOM")
Package info for an image with detailed information about all packages, their path, and the source.

As soon as the vulnerability is disclosed, you can detect, block, and remediate vulnerabilities in the IaC templates, CI/CD pipelines, container registries, and your runtime deployed hosts and containers.

A banner on the top of the Projects and Supply Chain pages will help you filter down to relevant results.
![Projects page using the disclosure banner filter.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2032/11/word-image-2.png "Prisma Cloud Projects Page using the disclosure banner filter")
Projects page using the disclosure banner filter.

Prisma Cloud, even before deployment, will help identify vulnerabilities in [images referenced](https://www.paloaltonetworks.com/blog/prisma-cloud/secure-vulnerable-images-in-iac-templates-with-prisma-cloud/) in infrastructure as code (IaC) and provide early warning to developers about vulnerabilities and a chance to fix the issue in code. In this case, if an IaC template -- such as Terraform, Dockerfiles, Kubernetes, or CI/CD pipelines -- leverages an image with the OpenSSL vulnerability, developers will be flagged in development environments and blocked in pipelines to prevent merging vulnerable code.
![Identifying vulnerabilities in images](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/10/word-image-70.png "Image Vulnerabilities")
Prisma Cloud notifies developers of vulnerabilities in public images used as base images or referenced in IaC or CI/CD templates.

![Supply Chain view of impacted images in a repository](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/11/word-image-3.png "Corrupt images in repository")
Supply Chain view of impacted images in a repository with a built-in filter

Compute Radar provides a graphical view of the workload deployments where users can review the environments affected by vulnerability severity. For workloads with applications and APIs receiving external traffic, defend by applying a web application firewall and a virtual patch with a single click.
![Defending against OpenSSL vulnerabilities with Prisma Cloud's Radar View](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/10/word-image-72.png "Prisma Cloud's Radar View")
Radar view of a running application with vulnerabilities identified.

## **Summary**

OpenSSL is a core component of many workloads and the backbone of applications leveraging networks. Although some details pertaining to the latest vulnerabilities are forthcoming, security teams should patch vulnerable systems to version 3.0.7.

Prisma Cloud customers can apply controls to address this vulnerability across multiple stages in the application lifecycle, from the code to the cloud.

We will update this post as details are released. We recommend you check back in the coming days to remain aware of key information.

*** ** * ** ***

## Related Blogs

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CWPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cwpp/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### The Expanding API Attack Surface](https://www.paloaltonetworks.com/blog/cloud-security/api-security-visibility-prioritization-protection/)

### [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### API Discovery Made Simple](https://www.paloaltonetworks.com/blog/cloud-security/api-discovery-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Agentless Workload Scanning Gets Supercharged with Malware Scanning](https://www.paloaltonetworks.com/blog/2023/06/agentless-malware-scanning/)

### [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Mitigate GraphQL Risks and Secure Your APIs with Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/mitigating-graphql-risks-with-prisma-cloud-waas/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Prisma Cloud Introduces Out-of-Band Web App and API Security](https://www.paloaltonetworks.com/blog/2022/06/prisma-cloud-introduces-oob-waas/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Web Application \& API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/web-application-api-security/?ts=markdown)

[#### Prisma Cloud Mitigations for SpringShell and Recent Spring Vulnerabilities: CVE-2022-22963, CVE-2022-22965](https://www.paloaltonetworks.com/blog/cloud-security/recent-spring-vulnerabilities/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language