JCloud security update, October 2022


Multiple critical security vulnerabilibites in software from different vendors have been published since last update. Some of them are or could be closely related to JCloud services. Security information about these products are therefore published in this article.
JCloud do NOT use the following products, neither in infrastructure nor by its employees, and is therefore NOT vulnerable to any published security vulnerabilities in:




JCloud is aware of a potential security problem with the following


OpenSSL version 3.0

  • An undocumented critical security update has been scheduled for release November 1st. JCloud believe the issue is either a regression issue in version 3.0.6, or a buffer overflow issue with the reference-code of the Keccak SHA-3 standard. JCloud do not use version 3.0.6, and Keccak is not used in any known systems or available encryption ciphers. The algorithm is however enabled by default. Some non-standard solutions might use it in special circumstances. At present time, we will gather more information before updating systems. 

Update 2022-11-01
The security vulnerability has been classified and considered medium to JCloud services, not critical.  Some non-standard customer solutions might have bigger security issues with it.
A release of version 3.0.7 was deployed 2022-11-01 15:20 UTC


A buffer overrun can be triggered in X.509 certificate verification,
   specifically in name constraint checking. Note that this occurs after
   certificate chain signature verification and requires either a CA to
   have signed the malicious certificate or for the application to continue
   certificate verification despite failure to construct a path to a trusted
   issuer.

   In a TLS client, this can be triggered by connecting to a malicious
   server.  In a TLS server, this can be triggered if the server requests
   client authentication and a malicious client connects.

   An attacker can craft a malicious email address to overflow
   an arbitrary number of bytes containing the `.`  character (decimal 46)
   on the stack.  This buffer overflow could result in a crash (causing a
   denial of service).
   ([CVE-2022-3786])

   An attacker can craft a malicious email address to overflow four
   attacker-controlled bytes on the stack.  This buffer overflow could
   result in a crash (causing a denial of service) or potentially remote code
   execution depending on stack layout for any given platform/compiler.
   ([CVE-2022-3602])