Bug 1199167 - (CVE-2022-1343) VUL-0: CVE-2022-1343: openssl-3: OCSP_basic_verify may incorrectly verify the response signing certificate
(CVE-2022-1343)
VUL-0: CVE-2022-1343: openssl-3: OCSP_basic_verify may incorrectly verify the...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/330567/
CVSSv3.1:SUSE:CVE-2022-1343:6.1:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-03 15:17 UTC by Marcus Meissner
Modified: 2022-07-04 07:45 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-05-03 15:17:19 UTC
CVE-2022-1343


https://www.openssl.org/news/secadv/20220503.txt

OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343)
=========================================================================================

Severity: Moderate

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP
response. In the case where the (non-default) flag OCSP_NOCHECKS is used then
the response will be positive (meaning a successful verification) even in the
case where the response signing certificate fails to verify.

It is anticipated that most users of `OCSP_basic_verify` will not use the
OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return
a negative value (indicating a fatal error) in the case of a certificate
verification failure. The normal expected return value in this case would be 0.

This issue also impacts the command line OpenSSL "ocsp" application. When
verifying an ocsp response with the "-no_cert_checks" option the command line
application will report that the verification is successful even though it has
in fact failed. In this case the incorrect successful response will also be
accompanied by error messages showing the failure and contradicting the
apparently successful result.

This issue affects OpenSSL version 3.0.

OpenSSL 3.0 users should upgrade to 3.0.3

This issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix
was developed by Matt Caswell from OpenSSL.
Comment 2 Jason Sikes 2022-06-24 07:28:12 UTC
created request id 274710

Reassigning to Security Team.