Denial of service in OpenSSL



Published: 2022-12-13 | Updated: 2023-02-07
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-3996
CWE-ID CWE-667
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		OpenSSL
Server applications / Encryption software

Vendor OpenSSL Software Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Improper locking

EUVDB-ID: #VU70142

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3996

CWE-ID: CWE-667 - Improper Locking

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack (DoS).

The vulnerability exists due to double-locking error if an X.509 certificate contains a malformed policy constraint and policy processing is enabled. A remote attacker can under certain circumstances perform a denial of service attack against the web server.

Successful exploitation of the vulnerability requires that policy processing being enabled on the server.

Mitigation

Install update from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.7

External links

http://www.openssl.org/news/secadv/20221213.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###