Bug 2087913 (CVE-2022-1473)

Summary: CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, bmontgom, bootloader-eng-team, cfergeau, crobinso, crypto-team, csutherl, dbelyavs, ddepaula, dueno, elima, eparis, epel-packagers-sig, erik-fedora, fmartine, gzaronik, hkario, jburrell, jclere, jferlan, jokerman, jwon, krathod, kraxel, ktietz, marcandre.lureau, michel, mjg59, mspacek, mturk, nstielau, ntait, pbonzini, philmd, pjindal, pjones, redhat-bugzilla, rharwood, rh-spice-bugs, rjones, sahana, sponnaga, szappis, tcullum, tm, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 3.0.3 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in OpenSSL, resulting in TLS servers and clients being halted by out-of-memory conditions, leading to a denial of service. An attacker needs to repeat actions continuously to trigger this vulnerability, resulting in a loss of application availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-25 20:09:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2089443, 2089444, 2089474    
Bug Blocks: 2087910    

Description Patrick Del Bello 2022-05-18 14:21:51 UTC 
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=64c85430f95200b6b51fe9475bd5203f7c19daf1
https://www.openssl.org/news/secadv/20220503.txt
Comment 2 Todd Cullum 2022-05-23 18:43:11 UTC 
Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2089474]
Comment 8 Product Security DevOps Team 2022-06-25 20:09:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1473
Comment 9 errata-xmlrpc 2022-08-30 16:02:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6224 https://access.redhat.com/errata/RHSA-2022:6224