OpenSSL CVE-2022-3602 / CVE-2022-3786

(November 1 2022 Critical High vulnerabilities) tracking

About

This is the GitHub for the companion spreadsheet for fast tracking of information about the November OpenSSL 3 vulnerability.

Data sets

• Orgs - companies, vendors, and other orgs, with public signals of potential vulnerability, blog links, KBs, etc
• OS and Packages - tracking of operating systems and package frameworks
• Products - individual products, with both likely and confirmed OpenSSLv3 status as available - NSCS-NL list rapidly coming more authoritative - focus your PRs there!

Any strong public signals of products or organizations being affected (or unaffected) are in scope.

Is this undue diligence? Perhaps. But even if this vulnerability is not widely exploitable, I'd "rather have and not need it than need it and not have it". Also, this work is now forward-ready for future vulnerabilities! 😛

Viewing the data

Because GitHub limits the width of some data, it may be easiest to view the spreadsheet.

You can also install the Stylus and Widescreen for GitHub Chrome extensions for more real estate.

Contributing

• If you're familiar with git, you can submit updates as PRs.
• Otherwise, you can open an issue or even (worst case) ping @TychoTithonus on Twitter or send an email.

TODO

• Push to GitHub Pages for better display and DataTables filtering

Related work

This information is part of an occasional series, The Story So Far. The recent entry about log4j was the only non-institutional resource included in CISA's official log4j guidance.