CVE-2022-2068

Published on: Not Yet Published

Last Modified on: 06/27/2022 11:15:00 AM UTC

Certain versions of OpenSSL from OpenSSL contain the following vulnerability:

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

  • CVE-2022-2068 has been assigned by URL Logo [email protected] to track the vulnerability
  • Affected Vendor/Software: URL Logo OpenSSL - OpenSSL version Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
  • Affected Vendor/Software: URL Logo OpenSSL - OpenSSL version Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
  • Affected Vendor/Software: URL Logo OpenSSL - OpenSSL version Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)

CVE References

Description Tags Link
Debian -- Security Information -- DSA-5169-1 openssl www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-5169
git.openssl.org Git - openssl.git/commitdiff git.openssl.org
text/xml
Inactive LinkNot Archived
URL Logo CONFIRM git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9
www.openssl.org
text/plain
URL Logo CONFIRM www.openssl.org/news/secadv/20220621.txt
git.openssl.org Git - openssl.git/commitdiff git.openssl.org
text/xml
URL Logo CONFIRM git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c9c35870601b4a44d86ddbf512b38df38285cfa
git.openssl.org Git - openssl.git/commitdiff git.openssl.org
text/xml
URL Logo CONFIRM git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9639817dac8bbbaa64d09efad7464ccc405527c7

Related QID Numbers

  • 179493 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DSA 5169-1)
  • 198839 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerability (USN-5488-1)
  • 690881 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (4eeb93bf-f204-11ec-8fbd-d4c9ef517024)
  • 752266 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2181-1)
  • 752269 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2180-1)
  • 752272 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2179-1)
  • 752273 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2022:2182-1)
  • 752280 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2022:2197-1)

Known Affected Software

Vendor Product Version
OpenSSL OpenSSL Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
OpenSSL OpenSSL Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
OpenSSL OpenSSL Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)

Discovery Credit

Chancen (Qingteng 73lab)

Social Mentions

Source Title Posted (UTC)
Twitter Icon @iamamoose CVE-2022-2068 is another r_rehash script issue openssl.org/news/secadv/20… 2022-06-21 14:27:51
Twitter Icon @flano_yuki OpenSSL Security Advisory [21 June 2022] The c_rehash script allows command injection (CVE-2022-2068) Severity: M… twitter.com/i/web/status/1… 2022-06-21 14:39:49
Twitter Icon @CVEreport CVE-2022-2068 : In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstan… twitter.com/i/web/status/1… 2022-06-21 14:48:40
Twitter Icon @Robo_Alerts Potentially Critical CVE Detected! CVE-2022-2068 In addition to the c_rehash shell command injection identified in… twitter.com/i/web/status/1… 2022-06-21 15:56:01
Reddit Logo Icon /r/netcve CVE-2022-2068 2022-06-21 16:38:39
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report