Bug 2097310 (CVE-2022-2068)

Summary: CVE-2022-2068 openssl: the c_rehash script allows command injection
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bbuckingham, bcourt, bdettelb, berrange, bmaxwell, bootloader-eng-team, brian.stansberry, btotty, caswilli, cdewolf, cfergeau, chazlett, cllang, crobinso, crypto-team, csutherl, dahernan, darran.lofthouse, dbelyavs, ddepaula, dffrench, dhalasz, dkreling, dkuc, dosoudil, dueno, ehelms, elima, epel-packagers-sig, erik-fedora, fjansen, fjuma, fmartine, gparvin, gzaronik, hasuzuki, iweiss, jburrell, jclere, jferlan, jochrist, jokerman, jramanat, jsherril, jwong, jwon, kaycoth, krathod, kraxel, kshier, ktietz, kyoneyam, lgao, lzap, marcandre.lureau, mcascell, mhulan, michal.skrivanek, michel, micjohns, mjg59, mmadzin, mmccune, mosmerov, mperina, msochure, mspacek, msvehla, mturk, myarboro, ngough, njean, nmoumoul, nwallace, orabin, pahickey, pbonzini, pcreech, peholase, philmd, pjindal, pjones, plodge, pmackay, rchan, redhat-bugzilla, rfreiman, rgodfrey, rharwood, rh-spice-bugs, rjones, rstancel, rsvoboda, sahana, sbonazzo, security-response-team, smaestri, smeyer, stcannon, sthirugn, szappis, tmeszaro, tm, tom.jenkinson, virt-maint, virt-maint, vkrizan, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.2zf, openssl 1.1.1p, openssl 3.0.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-03 10:26:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2099471, 2100097, 2111157, 2230555, 2098273, 2098276, 2098277, 2098278, 2098279, 2098280, 2098281, 2099969, 2099970, 2099971, 2099972, 2099973, 2099974, 2099975, 2100098, 2104732    
Bug Blocks: 2097311    

Description Marian Rehak 2022-06-15 12:16:30 UTC 
When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Comment 9 Marian Rehak 2022-06-22 06:08:18 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2099974]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2099971]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2099972]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-all [bug 2099975]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2099969]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2099970]


Created shim tracking bugs for this issue:

Affects: fedora-all [bug 2099973]
Comment 10 Mauro Matteo Cascella 2022-06-22 10:30:24 UTC 
OpenSSL Security Advisory:
https://www.openssl.org/news/secadv/20220621.txt

Upstream commits:
https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa [OpenSSL 3.0.4]
https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 [OpenSSL 1.1.1p]
https://github.com/openssl/openssl/commit/7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9 [OpenSSL 1.0.2zf]
Comment 13 Mauro Matteo Cascella 2022-06-22 13:58:57 UTC 
Follow-up commit:
https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739 [OpenSSL 3.0.4]
Comment 18 errata-xmlrpc 2022-08-03 13:00:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5818 https://access.redhat.com/errata/RHSA-2022:5818
Comment 19 errata-xmlrpc 2022-08-30 16:02:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6224 https://access.redhat.com/errata/RHSA-2022:6224
Comment 20 Product Security DevOps Team 2022-09-03 10:26:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2068
Comment 21 errata-xmlrpc 2022-12-08 13:07:08 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840
Comment 22 errata-xmlrpc 2022-12-08 13:21:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
Comment 23 errata-xmlrpc 2022-12-12 12:25:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2022:8917 https://access.redhat.com/errata/RHSA-2022:8917
Comment 24 errata-xmlrpc 2022-12-12 12:39:38 UTC 
This issue has been addressed in the following products:

  JWS 5.7.1 release

Via RHSA-2022:8913 https://access.redhat.com/errata/RHSA-2022:8913