Bug 1206374 - (CVE-2022-3996) VUL-0: CVE-2022-3996: openssl-3: X.509 Policy Constraints Double Locking
VUL-0: CVE-2022-3996: openssl-3: X.509 Policy Constraints Double Locking
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-12-13 14:11 UTC by Marcus Meissner
Modified: 2022-12-20 17:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-12-13 14:11:41 UTC


OpenSSL Security Advisory [13 December 2022]

X.509 Policy Constraints Double Locking (CVE-2022-3996)

Severity: Low

If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively.  On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs.  Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.

Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling either
`X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()'

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.  However due
to the low severity of this issue we are not creating a new release at
this time.  The mitigation for this issue can be found in commit 7725e7bfe.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8 once it is released.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was discovered on 7th November 2022 by Polar Bear.
The fix was developed by Dr Paul Dale.

We have no evidence of this issue being exploited as of the time of
release of this advisory (December 13th 2022).


URL for this Security Advisory:

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
Comment 2 Pedro Monreal Gonzalez 2022-12-13 17:42:45 UTC
Upstream commit:
 * https://github.com/openssl/openssl/commit/4d0340a6d2f327700a059f0b8f954d6160f8eef5
Comment 3 Pedro Monreal Gonzalez 2022-12-13 17:45:21 UTC
Otto, since there won't be a new release addressing this CVE for the moment, could you apply the patch to both openssl-3 in SLE-15-SP4 and Factory? TIA
Comment 4 Pedro Monreal Gonzalez 2022-12-15 09:42:35 UTC
Factory submission: https://build.opensuse.org/request/show/1042989
Comment 6 Otto Hollmann 2022-12-15 12:38:12 UTC
Factory submission: https://build.opensuse.org/request/show/1042989
SLE15-SP4 submission: https://build.suse.de/request/show/286632

No other codestreams affected, assigned back to security team.
Comment 8 Otto Hollmann 2022-12-15 14:39:30 UTC
Resubmitted SLE15-SP4 because of incomplete patch name in .changes file

Factory submission: https://build.opensuse.org/request/show/1042989
SLE15-SP4 submission: https://build.suse.de/request/show/286647
Comment 9 Swamp Workflow Management 2022-12-20 17:25:58 UTC
SUSE-SU-2022:4586-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1206374
CVE References: CVE-2022-3786,CVE-2022-3996
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.