Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2022-1473: openssl-3: Resource leakage when decoding certificates and keys|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Marcus Meissner <meissner>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||IN_PROGRESS ---||QA Contact:||Security Team bot <security-team>|
|Priority:||P2 - High||CC:||pmonrealgonzalez, smash_bz|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Marcus Meissner 2022-05-03 15:25:53 UTC
CVE-2022-1473 https://www.openssl.org/news/secadv/20220503.txt Resource leakage when decoding certificates and keys (CVE-2022-1473) ==================================================================== Severity: Low The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be found in git commit 64c85430f. OpenSSL 1.0.2 users are not affected. OpenSSL 1.1.1 users are not affected. OpenSSL 3.0 users should upgrade to 3.0.3. This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin. The fix was developed by Hugo Landau from OpenSSL.
Comment 1 Jason Sikes 2022-06-24 07:27:47 UTC
created request id 274710 Reassigning to Security Team.
Comment 4 Swamp Workflow Management 2022-07-06 16:33:04 UTC
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099 CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097 JIRA References: Sources used: openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-3-3.0.1-150400.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.