Bugzilla – Bug 1199169
VUL-0: CVE-2022-1473: openssl-3: Resource leakage when decoding certificates and keys
Last modified: 2022-07-25 10:26:59 UTC
Resource leakage when decoding certificates and keys (CVE-2022-1473)
The OPENSSL_LH_flush() function, which empties a hash table, contains
a bug that breaks reuse of the memory occuppied by the removed hash
This function is used when decoding certificates or keys. If a long lived
process periodically decodes certificates or keys its memory usage will
expand without bounds and the process might be terminated by the operating
system causing a denial of service. Also traversing the empty hash table
entries will take increasingly more time.
Typically such long lived processes might be TLS clients or TLS servers
configured to accept client certificate authentication.
The function was added in the OpenSSL 3.0 version thus older releases
are not affected by the issue.
It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be
found in git commit 64c85430f.
OpenSSL 1.0.2 users are not affected.
OpenSSL 1.1.1 users are not affected.
OpenSSL 3.0 users should upgrade to 3.0.3.
This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin.
The fix was developed by Hugo Landau from OpenSSL.
created request id 274710
Reassigning to Security Team.
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available.
Category: security (important)
Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097
openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openssl-3-3.0.1-150400.4.7.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Update to OpenSSL 3.0.5, accepted Factory submission: