CVE-2022-4304

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-4304
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-02-08 20:15:00 UTC
Updated2024-02-04 09:15:00 UTC
DescriptionA timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Risk And Classification

Problem Types: CWE-203

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Openssl Openssl All All All All
Application Stormshield Endpoint Security All All All All
Application Stormshield Sslvpn All All All All
Application Stormshield Stormshield Network Security All All All All

References

ReferenceSourceLinkTags
www.openssl.org/news/secadv/20230207.txt MISC www.openssl.org
OpenSSL: Multiple Vulnerabilities (GLSA 202402-08) — Gentoo security security.gentoo.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160481 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-0946)
  • 160492 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12152)
  • 160521 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-1405)
  • 160523 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12213)
  • 160621 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-2165)
  • 160668 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-2932)
  • 161209 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13026)
  • 161210 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13024)
  • 161212 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-32791)
  • 161213 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13025)
  • 161214 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13027)
  • 161215 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-32790)
  • 181546 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DSA 5343-1)
  • 181593 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DLA 3325-1)
  • 184546 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (CVE-2022-4304)
  • 199150 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5844-1)
  • 200021 Ubuntu Security Notification for Node.js Vulnerabilities (USN-6564-1)
  • 241227 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:0946)
  • 241256 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1199)
  • 241285 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1405)
  • 241469 Red Hat Update for edk2 security (RHSA-2023:2165)
  • 241496 Red Hat Update for edk2 (RHSA-2023:2932)
  • 241568 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:3408)
  • 241574 Red Hat Update for JBoss Core Services (RHSA-2023:3354)
  • 241833 Red Hat Update for edk2 (RHSA-2023:4128)
  • 283694 Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2023-57f33242bc)
  • 283709 Fedora Security Update for edk2 (FEDORA-2023-e1ffb79ddf)
  • 283736 Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2023-a5564c0a3f)
  • 283759 Fedora Security Update for edk2 (FEDORA-2023-e821b64a4c)
  • 330133 IBM Advanced Interactive eXecutive (AIX) Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (openssl_advisory38)
  • 354734 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS-2023-1683
  • 354735 Amazon Linux Security Advisory for Open Secure Sockets Layer11 (OpenSSL11) : ALAS2-2023-1934
  • 354737 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2-2023-1935
  • 355058 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : AL2012-2023-382
  • 355230 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2023-2023-101
  • 356233 Amazon Linux Security Advisory for openssl-snapsafe : ALASOPENSSL-SNAPSAFE-2023-002
  • 356483 Amazon Linux Security Advisory for openssl-snapsafe : ALAS2OPENSSL-SNAPSAFE-2023-002
  • 357333 Amazon Linux Security Advisory for edk2 : ALAS2-2024-2502
  • 378416 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX3-SA-2023:0033)
  • 378438 HCL BigFix Multiple Security Vulnerabilities (KB0103724)
  • 378491 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Multiple OpenSSL Denial of Service (DoS) Vulnerabilities (NTAP-20230214-0011)
  • 378515 Alibaba Cloud Linux Security Update for edk2 (ALINUX3-SA-2023:0044)
  • 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
  • 38894 Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities
  • 43991 Hewlett Packard Enterprise (HPE) ArubaOS Multiple Vulnerabilities (ARUBA-PSA-2023-001)
  • 502652 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
  • 502653 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
  • 502757 Alpine Linux Security Update for openssl
  • 502907 Alpine Linux Security Update for openssl1.1-compat
  • 505784 Alpine Linux Security Update for openssl1.1-compat
  • 672879 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1602)
  • 672984 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1875)
  • 673006 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1850)
  • 673018 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1982)
  • 673042 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1960)
  • 673086 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL)111d (EulerOS-SA-2023-2162)
  • 673136 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-2299)
  • 673156 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-2275)
  • 673398 EulerOS Security Update for linux-sgx (EulerOS-SA-2023-3047)
  • 691051 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (648a432c-a71f-11ed-86e9-d4c9ef517024)
  • 710857 Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202402-08)
  • 730818 IBM MQ Appliance Multiple Security Vulnerabilities (6986567)
  • 730953 Hewlett Packard Enterprise (HPE) OneView Multiple Vulnerabilities
  • 753631 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305-1)
  • 753633 SUSE Enterprise Linux Security Update for openssl1 (SUSE-SU-2023:0307-1)
  • 753634 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0306-1)
  • 753636 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0310-1)
  • 753637 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0308-1)
  • 753640 SUSE Enterprise Linux Security Update for openssl-3 (SUSE-SU-2023:0312-1)
  • 753647 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0311-1)
  • 753649 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0309-1)
  • 753795 SUSE Enterprise Linux Security Update for compat-openssl098 (SUSE-SU-2023:0581-1)
  • 754071 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754072 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305-2)
  • 754079 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754080 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754084 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 754085 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754086 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754087 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 754088 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 754127 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:2624-1)
  • 754128 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_1 (SUSE-SU-2023:2623-1)
  • 754129 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_1 (SUSE-SU-2023:2622-1)
  • 754229 SUSE Enterprise Linux Security Update for compat-openssl098 (SUSE-SU-2023:3096-1)
  • 754245 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_1 (SUSE-SU-2023:3179-1)
  • 755850 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:2633-1)
  • 905437 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13302)
  • 905438 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13310)
  • 905444 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13313)
  • 905451 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13326)
  • 905456 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13334)
  • 905458 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13319)
  • 905478 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13326-1)
  • 905506 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13310-1)
  • 906757 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13302-1)
  • 940941 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2023:0946)
  • 940962 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2023:1405)
  • 941044 AlmaLinux Security Update for edk2 (ALSA-2023:2165)
  • 941103 AlmaLinux Security Update for edk2 (ALSA-2023:2932)
  • 960886 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2023:1405)
  • 960889 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2023:0946)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report