CVE-2022-1343

Summary

CVE	CVE-2022-1343
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-05-03 16:15:00 UTC
Updated	2023-11-07 03:41:00 UTC
Description	The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Risk And Classification

Problem Types: CWE-295

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Netapp	A250	-	All	All	All
Operating System	Netapp	A250 Firmware	-	All	All	All
Hardware	Netapp	A700s	-	All	All	All
Operating System	Netapp	A700s Firmware	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Hardware	Netapp	Aff 500f	-	All	All	All
Operating System	Netapp	Aff 500f Firmware	-	All	All	All
Hardware	Netapp	Aff 8300	-	All	All	All
Operating System	Netapp	Aff 8300 Firmware	-	All	All	All
Hardware	Netapp	Aff 8700	-	All	All	All
Operating System	Netapp	Aff 8700 Firmware	-	All	All	All
Hardware	Netapp	Aff A400	-	All	All	All
Operating System	Netapp	Aff A400 Firmware	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Clustered Data Ontap Antivirus Connector	-	All	All	All
Hardware	Netapp	Fabric-attached Storage A400	-	All	All	All
Operating System	Netapp	Fabric-attached Storage A400 Firmware	-	All	All	All
Hardware	Netapp	Fas 500f	-	All	All	All
Operating System	Netapp	Fas 500f Firmware	-	All	All	All
Hardware	Netapp	Fas 8300	-	All	All	All
Operating System	Netapp	Fas 8300 Firmware	-	All	All	All
Hardware	Netapp	Fas 8700	-	All	All	All
Operating System	Netapp	Fas 8700 Firmware	-	All	All	All
Hardware	Netapp	H300e	-	All	All	All
Operating System	Netapp	H300e Firmware	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500e	-	All	All	All
Operating System	Netapp	H500e Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700e	-	All	All	All
Operating System	Netapp	H700e Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Netapp	Santricity Smi-s Provider	-	All	All	All
Application	Netapp	Smi-s Provider	-	All	All	All
Application	Netapp	Snapmanager	-	All	All	All
Application	Netapp	Solidfire Enterprise Sds Hci Storage Node	-	All	All	All
Application	Netapp	Solidfire Hci Management Node	-	All	All	All
Application	Openssl	Openssl	All	All	All	All

References

Reference	Source	Link	Tags
cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf	MISC	cert-portal.siemens.com
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
May 2022 OpenSSL Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org
www.openssl.org/news/secadv/20220503.txt	CONFIRM	www.openssl.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Raul Metsma

Legacy QID Mappings

160072 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-6224)
198771 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5402-1)
240641 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2022:6224)
296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
354459 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-195
354511 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-104
354579 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS-2022-195
355250 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2023-2023-051
501987 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502415 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502752 Alpine Linux Security Update for openssl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
690862 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (fceb2b08-cb76-11ec-a06f-d4c9ef517024)
752308 SUSE Enterprise Linux Security Update for openssl-3 (SUSE-SU-2022:2306-1)
940649 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2022:6224)