QID 354463

Date Published: 2022-12-21

QID 354463: Amazon Linux Security Advisory for openssl, Open Secure Sockets Layer1.1 (OpenSSL1.1) : ALAS2022-2022-041

The bn_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack.
The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.
Thus vulnerable situations include: - tls clients consuming server certificates - tls servers consuming client certificates - hosting providers taking certificates or private keys from customers - certificate authorities parsing certification requests from subscribers - anything else which parses asn.1 elliptic curve parameters also any other applications that use the bn_mod_sqrt() where the attacker can control the parameter values are vulnerable to this dos issue.
In the openssl 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop.
However any operation which requires the public key from the certificate will trigger the infinite loop.
In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature.
This issue affects openssl versions 1.0.2, 1.1.1 and 3.0.
Openssl versions 1.0.2, 1.1.1, and 3.0 have been updated. (
( CVE-2022-0778)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as High - 7.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

Please refer to Amazon advisory: ALAS2022-2022-041 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2022-2022-041 - alas.aws.amazon.com/AL2022/ALAS-2022-041.html

CVEs related to QID 354463

CVE-2022-0778 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2022-2022-041	amazon linux 2022		alas.aws.amazon.com/AL2022/ALAS-2022-041.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].