Bug 2062202 (CVE-2022-0778)

Summary: CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agawand, agogala, andbartl, aos-bugs, asoldano, atangrin, bbaranow, bdettelb, berrange, bmaxwell, bootloader-eng-team, brian.stansberry, caswilli, cdewolf, cfergeau, chazlett, chorn, cperry, crobinso, crypto-team, csutherl, darran.lofthouse, dbelyavs, dkreling, dkuc, dornelas, dosoudil, dueno, eleandro, elima, epel-packagers-sig, erik-fedora, fcanogab, fjansen, fjuma, fmartine, gparvin, gzaronik, hkario, iweiss, jbroome, jburrell, jclere, jkoehler, jochrist, jocolema, jpallich, jperkins, jramanat, jtanner, jwong, jwon, kaycoth, krathod, kraxel, ksathe, ktietz, kwills, kyoshida, lgao, lob+redhat, marcandre.lureau, michal.skrivanek, michel, micjohns, mjg59, mori, mosmerov, mperina, msochure, mspacek, msvehla, mturk, njean, nobody, nwallace, pahickey, pasik, pbonzini, philmd, pjindal, pjones, pmackay, proguski, rdey, redhat-bugzilla, redhat, rfreiman, rguimara, rharwood, rh-spice-bugs, rjones, rpalathi, rstancel, rsvoboda, sahana, sbonazzo, security-response-team, smaestri, stcannon, sthirugn, szappis, tmeszaro, tm, tom.jenkinson, virt-maint, virt-maint, vkrizan, vkumar, vmugicag, yborgess, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.2zd, openssl 1.1.1n, openssl 3.0.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 01:24:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2062314, 2062315, 2062394, 2062758, 2062761, 2062781, 2063129, 2063130, 2063131, 2063132, 2063133, 2063134, 2063145, 2063146, 2063147, 2063148, 2064911, 2064913, 2064914, 2064915, 2064917, 2064918, 2067141, 2067142, 2067143, 2067144, 2067145, 2067146, 2067159, 2067160, 2067161, 2067208, 2067209, 2067210, 2067211, 2067222, 2067223, 2067224, 2067225, 2067226, 2067227, 2067228, 2067229, 2067230, 2067231, 2067232, 2067973, 2067974, 2068507, 2070101, 2076699, 2077417, 2077418    
Bug Blocks: 2062201    

Description Mauro Matteo Cascella 2022-03-09 11:42:44 UTC 
The BN_mod_sqrt() function, which computes a modular square root, contains
a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from customers
Certificate authorities parsing certification requests from subscribers
Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.

On the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.

OpenSSL 1.0.2 users should upgrade to 1.0.2zd
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2

This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy
from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz
from OpenSSL.

OpenSSL Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt

Upstream patch:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
Comment 14 Sandipan Roy 2022-03-16 04:02:24 UTC 
https://www.openssl.org/news/secadv/20220315.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
Comment 16 Mauro Matteo Cascella 2022-03-16 20:53:05 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2064917]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2064914]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2064911]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-all [bug 2064918]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2064913]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2064915]
Comment 31 errata-xmlrpc 2022-03-28 08:40:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1065 https://access.redhat.com/errata/RHSA-2022:1065
Comment 32 errata-xmlrpc 2022-03-28 09:53:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1076 https://access.redhat.com/errata/RHSA-2022:1076
Comment 33 errata-xmlrpc 2022-03-28 09:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1073 https://access.redhat.com/errata/RHSA-2022:1073
Comment 34 errata-xmlrpc 2022-03-28 10:14:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1071 https://access.redhat.com/errata/RHSA-2022:1071
Comment 37 errata-xmlrpc 2022-03-28 10:55:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1066 https://access.redhat.com/errata/RHSA-2022:1066
Comment 38 errata-xmlrpc 2022-03-28 11:14:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1078 https://access.redhat.com/errata/RHSA-2022:1078
Comment 39 errata-xmlrpc 2022-03-28 11:33:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1077 https://access.redhat.com/errata/RHSA-2022:1077
Comment 40 errata-xmlrpc 2022-03-28 13:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:1082 https://access.redhat.com/errata/RHSA-2022:1082
Comment 41 Christian Horn 2022-03-29 00:46:47 UTC 
(In reply to errata-xmlrpc from comment #40)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 7.3 Advanced Update Support
> 
> Via RHSA-2022:1082 https://access.redhat.com/errata/RHSA-2022:1082

That is not yet reflected in bz2067222.  Seems to also apply to
other errata, like the 7.4.z fix.
Comment 42 errata-xmlrpc 2022-03-29 07:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:1091 https://access.redhat.com/errata/RHSA-2022:1091
Comment 44 errata-xmlrpc 2022-03-29 13:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:1112 https://access.redhat.com/errata/RHSA-2022:1112
Comment 55 errata-xmlrpc 2022-04-07 09:03:46 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 56 Jace Liang 2022-04-14 08:10:02 UTC 
Dear team,

I see our errata for RHEL 7 only upgrades openssl to openssl-1.0.2k-25.el7_9
But the description of this CVE noted that 'OpenSSL 1.0.2 users should upgrade to 1.0.2zd'
Is our RHSA-2022:1066 already fixes this CVE?
Comment 57 Dmitry Belyavskiy 2022-04-14 11:30:20 UTC 
1.0.2zd is an upstream version, we normally don't rebase to a new upstream version on fixing CVE. We apply the patches fixing the vulnerability and increase our version. Yes, the patch was added to openssl-1.0.2k-25
Comment 58 Alicja Kario 2022-04-20 13:44:55 UTC 
Jace, please see this article on the topic of backporting security fixes: https://access.redhat.com/security/updates/backporting
Comment 59 errata-xmlrpc 2022-04-20 19:30:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:1390 https://access.redhat.com/errata/RHSA-2022:1390
Comment 60 errata-xmlrpc 2022-04-20 19:42:14 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:1389 https://access.redhat.com/errata/RHSA-2022:1389
Comment 61 errata-xmlrpc 2022-04-20 23:46:29 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 64 errata-xmlrpc 2022-05-02 11:03:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:1520 https://access.redhat.com/errata/RHSA-2022:1520
Comment 65 errata-xmlrpc 2022-05-02 11:05:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.6 on RHEL 7
  Red Hat JBoss Web Server 5.6 on RHEL 8

Via RHSA-2022:1519 https://access.redhat.com/errata/RHSA-2022:1519
Comment 66 john broome 2022-05-05 19:51:19 UTC 
(In reply to errata-xmlrpc from comment #37)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 7
> 
> Via RHSA-2022:1066 https://access.redhat.com/errata/RHSA-2022:1066


This is super minor, but I just found it grepping the rpm changelog for this CVE.  The changelog lists the CVE that was fixed as CVE-2022-2078 (which doesn't exist) instead of CVE-2022-0778.

Here's what's in the changelog:

* Wed Mar 23 2022 Dmitry Belyavskiy <dbelyavs> - 1:1.0.2k-25
- Fixes CVE-2022-2078 Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Related: rhbz#2067160
Comment 75 errata-xmlrpc 2022-06-03 13:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:4896 https://access.redhat.com/errata/RHSA-2022:4896
Comment 76 errata-xmlrpc 2022-06-04 00:19:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4899 https://access.redhat.com/errata/RHSA-2022:4899
Comment 80 errata-xmlrpc 2022-06-09 02:06:29 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 85 errata-xmlrpc 2022-06-28 15:13:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5326 https://access.redhat.com/errata/RHSA-2022:5326
Comment 87 Product Security DevOps Team 2022-07-01 01:24:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0778