Bug 2164494 (CVE-2022-4450) - CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex
Summary: CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2164581 2164582 2164583 2164584 2164585 2164586 2164587 2166349 2167904 2167905 2167906 2167907 2167908 2167909 2167910 2167911 2191729
Blocks: 2164384
TreeView+ depends on / blocked
 
Reported: 2023-01-25 15:40 UTC by Marian Rehak
Modified: 2023-12-07 17:59 UTC (History)
55 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. Constructing a PEM file that results in 0 bytes of payload data is possible. In this case, PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a freed buffer. A double-free will occur if the caller also frees this buffer. This will most likely lead to a crash. This could be exploited by an attacker who can supply malicious PEM files for parsing to achieve a denial of service attack.
Clone Of:
Environment:
Last Closed: 2023-03-22 14:06:07 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1413 0 None None None 2023-03-22 19:48:38 UTC
Red Hat Product Errata RHBA-2023:1414 0 None None None 2023-03-22 19:48:46 UTC
Red Hat Product Errata RHBA-2023:1415 0 None None None 2023-03-22 19:55:00 UTC
Red Hat Product Errata RHBA-2023:1416 0 None None None 2023-03-22 20:48:33 UTC
Red Hat Product Errata RHBA-2023:1417 0 None None None 2023-03-22 20:45:00 UTC
Red Hat Product Errata RHBA-2023:1418 0 None None None 2023-03-22 20:56:38 UTC
Red Hat Product Errata RHBA-2023:1419 0 None None None 2023-03-22 21:00:58 UTC
Red Hat Product Errata RHBA-2023:1420 0 None None None 2023-03-22 21:25:37 UTC
Red Hat Product Errata RHBA-2023:1421 0 None None None 2023-03-22 21:26:46 UTC
Red Hat Product Errata RHBA-2023:1422 0 None None None 2023-03-22 21:34:50 UTC
Red Hat Product Errata RHBA-2023:1423 0 None None None 2023-03-22 21:37:36 UTC
Red Hat Product Errata RHBA-2023:1424 0 None None None 2023-03-22 21:42:59 UTC
Red Hat Product Errata RHBA-2023:1425 0 None None None 2023-03-22 21:38:52 UTC
Red Hat Product Errata RHBA-2023:1426 0 None None None 2023-03-22 21:47:29 UTC
Red Hat Product Errata RHBA-2023:1431 0 None None None 2023-03-23 08:53:32 UTC
Red Hat Product Errata RHBA-2023:1446 0 None None None 2023-03-23 13:05:08 UTC
Red Hat Product Errata RHBA-2023:1449 0 None None None 2023-03-23 17:48:04 UTC
Red Hat Product Errata RHBA-2023:1459 0 None None None 2023-03-27 01:23:08 UTC
Red Hat Product Errata RHBA-2023:1460 0 None None None 2023-03-27 06:59:03 UTC
Red Hat Product Errata RHBA-2023:1461 0 None None None 2023-03-27 08:50:22 UTC
Red Hat Product Errata RHBA-2023:1463 0 None None None 2023-03-27 07:48:54 UTC
Red Hat Product Errata RHBA-2023:1464 0 None None None 2023-03-27 10:35:16 UTC
Red Hat Product Errata RHBA-2023:1465 0 None None None 2023-03-27 08:02:51 UTC
Red Hat Product Errata RHBA-2023:1475 0 None None None 2023-03-27 10:36:08 UTC
Red Hat Product Errata RHBA-2023:1476 0 None None None 2023-03-27 11:23:57 UTC
Red Hat Product Errata RHBA-2023:1477 0 None None None 2023-03-27 10:54:18 UTC
Red Hat Product Errata RHBA-2023:1493 0 None None None 2023-03-28 11:36:23 UTC
Red Hat Product Errata RHBA-2023:1497 0 None None None 2023-03-28 14:02:05 UTC
Red Hat Product Errata RHBA-2023:1499 0 None None None 2023-03-28 17:57:59 UTC
Red Hat Product Errata RHBA-2023:1500 0 None None None 2023-03-28 19:04:55 UTC
Red Hat Product Errata RHBA-2023:1502 0 None None None 2023-03-28 21:16:09 UTC
Red Hat Product Errata RHBA-2023:1517 0 None None None 2023-03-29 12:59:26 UTC
Red Hat Product Errata RHBA-2023:1519 0 None None None 2023-03-29 12:50:00 UTC
Red Hat Product Errata RHBA-2023:1520 0 None None None 2023-03-29 12:45:50 UTC
Red Hat Product Errata RHBA-2023:1530 0 None None None 2023-03-30 09:59:25 UTC
Red Hat Product Errata RHBA-2023:1532 0 None None None 2023-03-30 12:21:32 UTC
Red Hat Product Errata RHBA-2023:1536 0 None None None 2023-03-30 15:40:01 UTC
Red Hat Product Errata RHBA-2023:1539 0 None None None 2023-03-30 19:40:06 UTC
Red Hat Product Errata RHBA-2023:1625 0 None None None 2023-04-04 14:23:37 UTC
Red Hat Product Errata RHBA-2023:1626 0 None None None 2023-04-04 15:41:55 UTC
Red Hat Product Errata RHBA-2023:1627 0 None None None 2023-04-04 16:48:20 UTC
Red Hat Product Errata RHBA-2023:1628 0 None None None 2023-04-04 16:42:17 UTC
Red Hat Product Errata RHBA-2023:1641 0 None None None 2023-04-05 02:58:37 UTC
Red Hat Product Errata RHBA-2023:1654 0 None None None 2023-04-05 12:31:08 UTC
Red Hat Product Errata RHBA-2023:1708 0 None None None 2023-04-11 14:49:55 UTC
Red Hat Product Errata RHBA-2023:1736 0 None None None 2023-04-11 21:35:18 UTC
Red Hat Product Errata RHBA-2023:1764 0 None None None 2023-04-12 21:25:20 UTC
Red Hat Product Errata RHBA-2023:1798 0 None None None 2023-04-17 01:50:51 UTC
Red Hat Product Errata RHBA-2023:1800 0 None None None 2023-04-17 13:18:37 UTC
Red Hat Product Errata RHBA-2023:1825 0 None None None 2023-04-18 16:52:57 UTC
Red Hat Product Errata RHBA-2023:1850 0 None None None 2023-04-18 21:30:23 UTC
Red Hat Product Errata RHBA-2023:1886 0 None None None 2023-04-19 19:40:52 UTC
Red Hat Product Errata RHBA-2023:1929 0 None None None 2023-04-24 01:45:04 UTC
Red Hat Product Errata RHBA-2023:2033 0 None None None 2023-04-26 18:29:13 UTC
Red Hat Product Errata RHBA-2023:2048 0 None None None 2023-04-27 13:25:51 UTC
Red Hat Product Errata RHBA-2023:2086 0 None None None 2023-05-02 18:15:04 UTC
Red Hat Product Errata RHBA-2023:2088 0 None None None 2023-05-03 02:30:48 UTC
Red Hat Product Errata RHBA-2023:2105 0 None None None 2023-05-03 22:06:06 UTC
Red Hat Product Errata RHBA-2023:2106 0 None None None 2023-05-03 22:25:52 UTC
Red Hat Product Errata RHSA-2023:0946 0 None None None 2023-02-28 08:18:14 UTC
Red Hat Product Errata RHSA-2023:1199 0 None None None 2023-03-14 13:53:03 UTC
Red Hat Product Errata RHSA-2023:1405 0 None None None 2023-03-22 10:33:48 UTC
Red Hat Product Errata RHSA-2023:2165 0 None None None 2023-05-09 07:13:30 UTC
Red Hat Product Errata RHSA-2023:2932 0 None None None 2023-05-16 08:29:57 UTC
Red Hat Product Errata RHSA-2023:3354 0 None None None 2023-06-05 11:51:03 UTC
Red Hat Product Errata RHSA-2023:3355 0 None None None 2023-06-05 11:47:13 UTC
Red Hat Product Errata RHSA-2023:3408 0 None None None 2023-05-31 18:36:55 UTC
Red Hat Product Errata RHSA-2023:3420 0 None None None 2023-06-05 13:56:10 UTC
Red Hat Product Errata RHSA-2023:3421 0 None None None 2023-06-05 14:16:41 UTC

Description Marian Rehak 2023-01-25 15:40:15 UTC 
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
Comment 5 Zack Miele 2023-02-07 17:57:30 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2167906]
Affects: fedora-37 [bug 2167909]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2167907]
Affects: fedora-37 [bug 2167910]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2167908]
Affects: fedora-37 [bug 2167911]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2167905]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2167904]
Comment 6 errata-xmlrpc 2023-02-28 08:18:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946
Comment 7 errata-xmlrpc 2023-03-14 13:52:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199
Comment 8 errata-xmlrpc 2023-03-22 10:33:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405
Comment 9 Product Security DevOps Team 2023-03-22 14:06:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4450
Comment 10 errata-xmlrpc 2023-05-09 07:13:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165
Comment 11 errata-xmlrpc 2023-05-16 08:29:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932
Comment 12 errata-xmlrpc 2023-05-31 18:36:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408
Comment 13 errata-xmlrpc 2023-06-05 11:47:08 UTC 
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
Comment 14 errata-xmlrpc 2023-06-05 11:50:58 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354
Comment 15 errata-xmlrpc 2023-06-05 13:56:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420
Comment 16 errata-xmlrpc 2023-06-05 14:16:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421
Note You need to log in before you can comment on or make changes to this bug.