Bug 2164494 (CVE-2022-4450)
| Summary: | CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abuckta, acrosby, adudiak, aprice, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, crizzo, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, dnakabaa, doconnor, drieden, drow, dsoumis, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jkoehler, jmitchel, joehler, jsamir, jtanner, jvasik, jwon, kaycoth, kraxel, kshier, lcouzens, lphiri, micjohns, mmadzin, mskarbek, mturk, ngough, nweather, oezr, orabin, pbonzini, peholase, pjindal, plodge, rblanco, rgodfrey, rh-spice-bugs, rmaucher, rogbas, rravi, security-response-team, stcannon, sthirugn, szappis, teagle, tfister, tohughes, vchlup, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. Constructing a PEM file that results in 0 bytes of payload data is possible. In this case, PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a freed buffer. A double-free will occur if the caller also frees this buffer. This will most likely lead to a crash. This could be exploited by an attacker who can supply malicious PEM files for parsing to achieve a denial of service attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-22 14:06:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2164581, 2164582, 2164583, 2164584, 2164585, 2164586, 2164587, 2166349, 2167904, 2167905, 2167906, 2167907, 2167908, 2167909, 2167910, 2167911, 2191729 | ||
| Bug Blocks: | 2164384 | ||
|
Description
Marian Rehak
2023-01-25 15:40:15 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167906] Affects: fedora-37 [bug 2167909] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167907] Affects: fedora-37 [bug 2167910] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167908] Affects: fedora-37 [bug 2167911] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167905] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167904] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4450 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408 This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421 |