The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. OpenSSL 1.0.2 users should upgrade to 1.0.2ze OpenSSL 1.1.1 users should upgrade to 1.1.1o OpenSSL 3.0 users should upgrade to 3.0.3
OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20220503.txt Upstream fix: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c33270707b568c524a8ef125fe611a8872cb5e8
Created edk2 tracking bugs for this issue: Affects: fedora-all [bug 2095816] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 2095815] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 2095812] Created openssl1.1 tracking bugs for this issue: Affects: fedora-all [bug 2095817] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2095813] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2095814] Created shim tracking bugs for this issue: Affects: fedora-all [bug 2095818]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5818 https://access.redhat.com/errata/RHSA-2022:5818
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6224 https://access.redhat.com/errata/RHSA-2022:6224
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1292
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2022:8917 https://access.redhat.com/errata/RHSA-2022:8917
This issue has been addressed in the following products: JWS 5.7.1 release Via RHSA-2022:8913 https://access.redhat.com/errata/RHSA-2022:8913
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5979
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2023:5980 https://access.redhat.com/errata/RHSA-2023:5980
This issue has been addressed in the following products: Satellite Client 6 for RHEL 6 Satellite Client 6 for RHEL 7 Satellite Client 6 for RHEL 8 Satellite Client 6 for RHEL 9 Via RHSA-2023:5982 https://access.redhat.com/errata/RHSA-2023:5982
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818