FortiDevSec is an application security testing product that offers a comprehensive SaaS based continuous application testing for software Developers and DevOps, without the need for any security expertise
This article describes OpenSSL X.509 certificate verification buffer overflow vulnerabilities detection with FortiDevSec.
CVE-2022-3602 and CVE-2022-3786 vulnerabilities are 0-day exploits that were discovered on a popular open source library: OpenSSL. Both vulnerabilities are triggered by the X.509 certificate verification code.
Those zero-days can result in a crash or potential remote code execution, allowing the attacker to either impact the availability of the service or to get full control of the target.
FortiDevSec Container scanner since version 22.4.a.
Both vulnerabilities are detected by the FortiDevSec Container scanner which is identifying OS packages and open-source dependencies in all container layers provided.
The container scanner is enabled by default.
A step-by-step guide on how to scan your application is available in the user guide.
For more details regarding mtiigating the vulnerability by utilizing Fortinet products, refer to:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.