Bug 2137723 (CVE-2022-3602)

Summary: CVE-2022-3602 OpenSSL: X.509 Email Address Buffer Overflow
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abrianik, abuckta, adudiak, alcohan, aprice, arachman, asoldano, bbaranow, bdettelb, berrange, bmaxwell, bootloader-eng-team, brian.stansberry, caswilli, cdewolf, chazlett, cllang, crizzo, csutherl, darran.lofthouse, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkreling, dkuc, dnakabaa, doconnor, dosoudil, drieden, drow, dsoumis, fjansen, fjuma, gparvin, gzaronik, hbraun, hkario, hkataria, ikanias, istudens, ivassile, iweiss, jary, jbalunas, jburrell, jclere, jferlan, jkoehler, jmitchel, joehler, jsamir, jvasik, jwong, jwon, kaycoth, kraxel, kshier, lcouzens, lgao, lphiri, luizcosta, lveyde, michal.skrivanek, micjohns, mmadzin, mosmerov, mperina, mskarbek, msochure, msvehla, mturk, ngough, njean, nwallace, nweather, oezr, orabin, owatkins, pahickey, pbonzini, peholase, pesilva, pjindal, plodge, pmackay, rblanco, rgodfrey, rhaigner, rh-spice-bugs, rmaucher, rogbas, rravi, rstancel, sbonazzo, security-response-team, smaestri, stcannon, sthirugn, szappis, teagle, tfister, tohughes, tom.jenkinson, vchlup, virt-maint, vkrizan, vkumar, vmugicag, yguenane, ymittal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 3.0.7 Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow was found in the way OpenSSL processes X.509 certificates with a specially crafted email address field. This issue could cause a server or a client application compiled with OpenSSL to crash when trying to process the malicious certificate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-10 11:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2137727, 2137728, 2137729, 2137730, 2139149, 2139150    
Bug Blocks: 2137628    

Description Huzaifa S. Sidhpurwala 2022-10-26 02:05:41 UTC 
As per upstream report:

A buffer overrun can be triggered by sending an X.509 certificate with a specially crafted email address field to a vulnerable client or server. This can result in an overflow of four attacker-controlled bytes on the stack. This could result in a crash (causing a denial of service) or possibly result in remote code execution.

The most common situation where this can be triggered is when a server requests client authentication after a malicious client connects. The converse of a client connecting to a malicious server is also believed to be vulnerable in the same manner.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this attack.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Comment 7 Sandipan Roy 2022-11-01 16:12:04 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2139149]


Created openssl3 tracking bugs for this issue:

Affects: epel-all [bug 2139150]
Comment 8 Sandipan Roy 2022-11-01 16:12:19 UTC 
The flaw is Public Now, Lifting Embargoed.
https://www.openssl.org/news/secadv/20221101.txt
Comment 9 errata-xmlrpc 2022-11-01 18:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7288 https://access.redhat.com/errata/RHSA-2022:7288
Comment 11 errata-xmlrpc 2022-11-02 18:48:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7384 https://access.redhat.com/errata/RHSA-2022:7384