Bug 1199224 - (CVE-2022-27782) VUL-0: CVE-2022-27782: curl: TLS and SSH connection too eager reuse (5/6)
(CVE-2022-27782)
VUL-0: CVE-2022-27782: curl: TLS and SSH connection too eager reuse (5/6)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/330791/
CVSSv3.1:SUSE:CVE-2022-27782:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-05 07:04 UTC by Robert Frohl
Modified: 2022-08-23 07:38 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Gianluca Gabrielli 2022-05-11 07:02:58 UTC
Public.


TLS and SSH connection too eager reuse
======================================

Project curl Security Advisory, May 11 2022 -
[Permalink](https://curl.se/docs/CVE-2022-27782.html)

VULNERABILITY
-------------

libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several TLS and
SSH settings were left out from the configuration match checks, making them
match too easily.

We are not aware of any exploit of this flaw.

INFO
----

Here are the list of options that were not considered in the check, so curl
would reuse a connection even if the subsequent transfer would have changed
one or more of these options.

### TLS options

- `CURLOPT_SSL_OPTIONS` (since 7.25.0)
- `CURLOPT_CRLFILE` (since 7.19.0)
- `CURLOPT_TLSAUTH_USERNAME` (since 7.21.4)
- `CURLOPT_TLSAUTH_PASSWORD` (since 7.21.4)
- `CURLOPT_PROXY_SSL_OPTIONS` (since 7.52.0)
- `CURLOPT_PROXY_CRLFILE` (since 7.52.0)
- `CURLOPT_PROXY_TLSAUTH_USERNAME` (since 7.52.0)
- `CURLOPT_PROXY_TLSAUTH_PASSWORD` (since 7.52.0)

### SSH options

- `CURLOPT_SSH_PUBLIC_KEYFILE` (since 7.16.1)
- `CURLOPT_SSH_PRIVATE_KEYFILE` (since 7.16.1)

This flaw was initially introduced in curl 7.16.1 and has been widened several
times since then. See table above for details

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2022-27782 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.16.1 to and including 7.83.0
- Not affected versions: curl < 7.16.1 and curl >= 7.83.1

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION
------------

The two patches for CVE-2022-27782: [TLS-fix](https://github.com/curl/curl/commit/f18af4f874) and [SSH-fix](https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5)

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 7.83.1

 B - Apply the patch to your local version

TIMELINE
--------

This issue was reported to the curl project on May 1, 2022. We contacted
distros@openwall on May 5.

libcurl 7.83.1 was released on May 11 2022, coordinated with the publication
of this advisory.

CREDITS
-------

This issue was reported by Harry Sintonen. Patched by Daniel Stenberg.

Thanks a lot!

-- 

 / daniel.haxx.se
 | Commercial curl support up to 24x7 is available!
 | Private help, bug fixes, support, ports, new features
 | https://curl.se/support.html
Comment 7 David Anes 2022-05-13 07:04:26 UTC
Everything was done. Sent it back to security team.
Comment 10 Swamp Workflow Management 2022-05-18 19:15:31 UTC
SUSE-SU-2022:1733-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    curl-7.37.0-37.76.1
SUSE OpenStack Cloud 8 (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    curl-7.37.0-37.76.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    curl-7.37.0-37.76.1
HPE Helion Openstack 8 (src):    curl-7.37.0-37.76.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-05-23 13:18:14 UTC
SUSE-SU-2022:1805-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    curl-7.60.0-11.40.2
SUSE Linux Enterprise Server 12-SP5 (src):    curl-7.60.0-11.40.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-05-27 13:19:59 UTC
SUSE-SU-2022:1870-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224
CVE References: CVE-2022-27781,CVE-2022-27782
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Server 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Retail Branch Server 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Manager Proxy 4.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Micro 5.2 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise Micro 5.1 (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    curl-7.66.0-150200.4.33.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    curl-7.66.0-150200.4.33.1
SUSE Enterprise Storage 7 (src):    curl-7.66.0-150200.4.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-08-16 13:20:33 UTC
SUSE-SU-2022:2813-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    curl-7.60.0-4.38.1
SUSE OpenStack Cloud 9 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    curl-7.60.0-4.38.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    curl-7.60.0-4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-08-17 16:18:55 UTC
SUSE-SU-2022:2829-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1199223,1199224,1200735,1200737
CVE References: CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server for SAP 15 (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise Server 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    curl-7.60.0-150000.33.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    curl-7.60.0-150000.33.1
SUSE Enterprise Storage 6 (src):    curl-7.60.0-150000.33.1
SUSE CaaS Platform 4.0 (src):    curl-7.60.0-150000.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Gianluca Gabrielli 2022-08-23 07:38:50 UTC
Thanks, we can close it.