CVE-2022-2068
Published on: Not Yet Published
Last Modified on: 06/27/2022 11:15:00 AM UTC
Certain versions of OpenSSL from OpenSSL contain the following vulnerability:
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
- CVE-2022-2068 has been assigned by
[email protected] to track the vulnerability
- Affected Vendor/Software:
OpenSSL - OpenSSL version Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
- Affected Vendor/Software:
OpenSSL - OpenSSL version Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
- Affected Vendor/Software:
OpenSSL - OpenSSL version Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Debian -- Security Information -- DSA-5169-1 openssl | www.debian.org Depreciated Link text/html |
![]() |
git.openssl.org Git - openssl.git/commitdiff | git.openssl.org text/xml Inactive LinkNot Archived |
![]() |
www.openssl.org text/plain |
![]() | |
git.openssl.org Git - openssl.git/commitdiff | git.openssl.org text/xml |
![]() |
git.openssl.org Git - openssl.git/commitdiff | git.openssl.org text/xml |
![]() |
Related QID Numbers
- 179493 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DSA 5169-1)
- 198839 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerability (USN-5488-1)
- 690881 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (4eeb93bf-f204-11ec-8fbd-d4c9ef517024)
- 752266 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2181-1)
- 752269 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2180-1)
- 752272 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (SUSE-SU-2022:2179-1)
- 752273 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2022:2182-1)
- 752280 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2022:2197-1)
Known Affected Software
Vendor | Product | Version |
---|---|---|
OpenSSL | OpenSSL | Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3) |
OpenSSL | OpenSSL | Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o) |
OpenSSL | OpenSSL | Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze) |
Discovery Credit
Chancen (Qingteng 73lab)
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2022-2068 is another r_rehash script issue openssl.org/news/secadv/20… | 2022-06-21 14:27:51 |
![]() |
OpenSSL Security Advisory [21 June 2022] The c_rehash script allows command injection (CVE-2022-2068) Severity: M… twitter.com/i/web/status/1… | 2022-06-21 14:39:49 |
![]() |
CVE-2022-2068 : In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstan… twitter.com/i/web/status/1… | 2022-06-21 14:48:40 |
![]() |
Potentially Critical CVE Detected! CVE-2022-2068 In addition to the c_rehash shell command injection identified in… twitter.com/i/web/status/1… | 2022-06-21 15:56:01 |
![]() |
CVE-2022-2068 | 2022-06-21 16:38:39 |