CVE-2022-1473

Summary

CVE	CVE-2022-1473
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-05-03 16:15:00 UTC
Updated	2023-11-07 03:41:00 UTC
Description	The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Risk And Classification

Problem Types: CWE-459

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Netapp	A250	-	All	All	All
Operating System	Netapp	A250 Firmware	-	All	All	All
Hardware	Netapp	A700s	-	All	All	All
Operating System	Netapp	A700s Firmware	-	All	All	All
Application	Netapp	Active Iq Unified Manager	-	All	All	All
Hardware	Netapp	Aff 500f	-	All	All	All
Operating System	Netapp	Aff 500f Firmware	-	All	All	All
Hardware	Netapp	Aff 8300	-	All	All	All
Operating System	Netapp	Aff 8300 Firmware	-	All	All	All
Hardware	Netapp	Aff 8700	-	All	All	All
Operating System	Netapp	Aff 8700 Firmware	-	All	All	All
Hardware	Netapp	Aff A400	-	All	All	All
Operating System	Netapp	Aff A400 Firmware	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Clustered Data Ontap Antivirus Connector	-	All	All	All
Hardware	Netapp	Fabric-attached Storage A400	-	All	All	All
Operating System	Netapp	Fabric-attached Storage A400 Firmware	-	All	All	All
Hardware	Netapp	Fas 500f	-	All	All	All
Operating System	Netapp	Fas 500f Firmware	-	All	All	All
Hardware	Netapp	Fas 8300	-	All	All	All
Operating System	Netapp	Fas 8300 Firmware	-	All	All	All
Hardware	Netapp	Fas 8700	-	All	All	All
Operating System	Netapp	Fas 8700 Firmware	-	All	All	All
Hardware	Netapp	H300e	-	All	All	All
Operating System	Netapp	H300e Firmware	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500e	-	All	All	All
Operating System	Netapp	H500e Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700e	-	All	All	All
Operating System	Netapp	H700e Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Netapp	Santricity Smi-s Provider	-	All	All	All
Application	Netapp	Smi-s Provider	-	All	All	All
Application	Netapp	Snapmanager	-	All	All	All
Application	Netapp	Solidfire Enterprise Sds Hci Storage Node	-	All	All	All
Application	Netapp	Solidfire Hci Management Node	-	All	All	All
Application	Openssl	Openssl	All	All	All	All

References

Reference	Source	Link	Tags
OpenSSL: Multiple Vulnerabilities (GLSA 202210-02) — Gentoo security	GENTOO	security.gentoo.org
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf	MISC	cert-portal.siemens.com
May 2022 OpenSSL Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
www.openssl.org/news/secadv/20220503.txt	CONFIRM	www.openssl.org
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Aliaksei Levin

Legacy QID Mappings

160072 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2022-6224)
198771 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5402-1)
240641 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2022:6224)
296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
354459 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-195
354511 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2022-2022-104
354579 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS-2022-195
355250 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2023-2023-051
501987 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502415 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502752 Alpine Linux Security Update for openssl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
690862 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (fceb2b08-cb76-11ec-a06f-d4c9ef517024)
710638 Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202210-02)
752308 SUSE Enterprise Linux Security Update for openssl-3 (SUSE-SU-2022:2306-1)
940649 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2022:6224)