Bugzilla – Bug 1197341
VUL-0: CVE-2022-0547: openvpn-openssl1,openvpn: possible authentication bypass in external authentication plug-in
Last modified: 2022-06-03 16:15:59 UTC
CVE-2022-0547 OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements https://openvpn.net/community-downloads/ https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
Upstream commit: https://github.com/OpenVPN/openvpn/commit/282ddbac54f8d4923844f69983b38dd2b813a00a It seems that SUSE:SLE-11-SP1:Update and SUSE:SLE-11-SP3:Update ships a non-vulnerable version. Therefore, the following codestreams should be affected: openvpn - SUSE:SLE-12:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP4:Update openvpn-openssl1 - SUSE:SLE-11-SP3:Update
openSUSE-SU-2022:1029-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197341 CVE References: CVE-2022-0547 JIRA References: Sources used: openSUSE Leap 15.4 (src): openvpn-2.4.3-150000.5.10.1 openSUSE Leap 15.3 (src): openvpn-2.4.3-150000.5.10.1
SUSE-SU-2022:1029-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197341 CVE References: CVE-2022-0547 JIRA References: Sources used: SUSE Manager Server 4.1 (src): openvpn-2.4.3-150000.5.10.1 SUSE Manager Retail Branch Server 4.1 (src): openvpn-2.4.3-150000.5.10.1 SUSE Manager Proxy 4.1 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server for SAP 15 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Server 15-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): openvpn-2.4.3-150000.5.10.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): openvpn-2.4.3-150000.5.10.1 SUSE Enterprise Storage 7 (src): openvpn-2.4.3-150000.5.10.1 SUSE Enterprise Storage 6 (src): openvpn-2.4.3-150000.5.10.1 SUSE CaaS Platform 4.0 (src): openvpn-2.4.3-150000.5.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1024-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197341 CVE References: CVE-2022-0547 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): openvpn-2.3.8-16.29.1 SUSE OpenStack Cloud Crowbar 8 (src): openvpn-2.3.8-16.29.1 SUSE OpenStack Cloud 9 (src): openvpn-2.3.8-16.29.1 SUSE OpenStack Cloud 8 (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server 12-SP5 (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): openvpn-2.3.8-16.29.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): openvpn-2.3.8-16.29.1 HPE Helion Openstack 8 (src): openvpn-2.3.8-16.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:14937-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197341 CVE References: CVE-2022-0547 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openvpn-openssl1-2.3.2-0.10.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1934-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1123557,1197341 CVE References: CVE-2022-0547 JIRA References: Sources used: openSUSE Leap 15.4 (src): openvpn-2.5.6-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): openvpn-2.5.6-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.