Bug 1199169 (CVE-2022-1473)

Summary: VUL-0: CVE-2022-1473: openssl-3: Resource leakage when decoding certificates and keys
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: pmonrealgonzalez, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/330569/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1473:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2022-05-03 15:25:53 UTC
CVE-2022-1473

https://www.openssl.org/news/secadv/20220503.txt

Resource leakage when decoding certificates and keys (CVE-2022-1473)
====================================================================

Severity: Low

The OPENSSL_LH_flush() function, which empties a hash table, contains
a bug that breaks reuse of the memory occuppied by the removed hash
table entries.

This function is used when decoding certificates or keys. If a long lived
process periodically decodes certificates or keys its memory usage will
expand without bounds and the process might be terminated by the operating
system causing a denial of service. Also traversing the empty hash table
entries will take increasingly more time.

Typically such long lived processes might be TLS clients or TLS servers
configured to accept client certificate authentication.

The function was added in the OpenSSL 3.0 version thus older releases
are not affected by the issue.

It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be
found in git commit 64c85430f.

OpenSSL 1.0.2 users are not affected.
OpenSSL 1.1.1 users are not affected.
OpenSSL 3.0 users should upgrade to 3.0.3.

This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin.
The fix was developed by Hugo Landau from OpenSSL.
Comment 1 Jason Sikes 2022-06-24 07:27:47 UTC
created request id 274710

Reassigning to Security Team.
Comment 4 Swamp Workflow Management 2022-07-06 16:33:04 UTC
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Pedro Monreal Gonzalez 2022-07-25 10:26:59 UTC
Update to OpenSSL 3.0.5, accepted Factory submission:
 * https://build.opensuse.org/request/show/990536