#VU70142 Improper locking in OpenSSL


Published: 2022-12-13 | Updated: 2023-02-07

Vulnerability identifier: #VU70142

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-3996

CWE-ID: CWE-667

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service attack (DoS).

The vulnerability exists due to double-locking error if an X.509 certificate contains a malformed policy constraint and policy processing is enabled. A remote attacker can under certain circumstances perform a denial of service attack against the web server.

Successful exploitation of the vulnerability requires that policy processing being enabled on the server.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 3.0.0 - 3.0.7

External links
http://www.openssl.org/news/secadv/20221213.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Juniper Networks Junos cRPD
Multiple vulnerabilities in Juniper Cloud Native Router
Multiple vulnerabilities in IBM Spectrum Protect Plus
VMware Tanzu products update for OpenSSL
Ubuntu update for openssl
Cloud Foundry Foundation cflinuxfs3 update for OpenSSL
Multiple vulnerabilities in librdkafka
IBM AIX and VIOS update for OpenSSL
Barracuda CloudGen WAN update for OpenSSL
Multiple vulnerabilities in argo-cd