Bug 2062202 (CVE-2022-0778) - CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
Summary: CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0778
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2062314 2062315 2062394 2062758 2062761 2062781 2063129 2063130 2063131 2063132 2063133 2063134 2063145 2063146 2063147 2063148 2064911 2064913 2064914 2064915 2064917 2064918 2067141 2067142 2067143 2067144 2067145 2067146 2067159 2067160 2067161 2067208 2067209 2067210 2067211 2067222 2067223 2067224 2067225 2067226 2067227 2067228 2067229 2067230 2067231 2067232 2067973 2067974 2068507 2070101 2076699 2077417 2077418
Blocks: 2062201
TreeView+ depends on / blocked
 
Reported: 2022-03-09 11:42 UTC by Mauro Matteo Cascella
Modified: 2022-07-07 19:20 UTC (History)
112 users (show)

Fixed In Version: openssl 1.0.2zd, openssl 1.1.1n, openssl 3.0.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.
Clone Of:
Environment:
Last Closed: 2022-07-01 01:24:54 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1087 0 None None None 2022-03-28 23:56:47 UTC
Red Hat Product Errata RHBA-2022:1088 0 None None None 2022-03-29 01:09:46 UTC
Red Hat Product Errata RHBA-2022:1090 0 None None None 2022-03-29 06:56:47 UTC
Red Hat Product Errata RHBA-2022:1092 0 None None None 2022-03-29 09:38:44 UTC
Red Hat Product Errata RHBA-2022:1105 0 None None None 2022-03-29 08:24:04 UTC
Red Hat Product Errata RHBA-2022:1123 0 None None None 2022-03-29 15:39:17 UTC
Red Hat Product Errata RHBA-2022:1124 0 None None None 2022-03-29 15:43:01 UTC
Red Hat Product Errata RHBA-2022:1128 0 None None None 2022-03-29 17:53:05 UTC
Red Hat Product Errata RHBA-2022:1132 0 None None None 2022-03-29 18:18:18 UTC
Red Hat Product Errata RHBA-2022:1133 0 None None None 2022-03-29 18:27:37 UTC
Red Hat Product Errata RHBA-2022:1134 0 None None None 2022-03-29 18:28:45 UTC
Red Hat Product Errata RHBA-2022:1135 0 None None None 2022-03-29 18:29:18 UTC
Red Hat Product Errata RHBA-2022:1141 0 None None None 2022-03-30 12:42:30 UTC
Red Hat Product Errata RHBA-2022:1151 0 None None None 2022-03-31 18:45:02 UTC
Red Hat Product Errata RHBA-2022:1152 0 None None None 2022-03-31 21:34:22 UTC
Red Hat Product Errata RHBA-2022:1169 0 None None None 2022-04-01 18:11:15 UTC
Red Hat Product Errata RHBA-2022:1170 0 None None None 2022-04-04 01:20:14 UTC
Red Hat Product Errata RHBA-2022:1171 0 None None None 2022-04-04 01:28:36 UTC
Red Hat Product Errata RHBA-2022:1175 0 None None None 2022-04-04 10:08:26 UTC
Red Hat Product Errata RHBA-2022:1178 0 None None None 2022-04-04 15:58:50 UTC
Red Hat Product Errata RHBA-2022:1182 0 None None None 2022-04-04 18:56:47 UTC
Red Hat Product Errata RHBA-2022:1239 0 None None None 2022-04-05 23:42:12 UTC
Red Hat Product Errata RHBA-2022:1257 0 None None None 2022-04-06 16:11:56 UTC
Red Hat Product Errata RHBA-2022:1259 0 None None None 2022-04-06 17:14:21 UTC
Red Hat Product Errata RHBA-2022:1260 0 None None None 2022-04-06 17:14:46 UTC
Red Hat Product Errata RHBA-2022:1266 0 None None None 2022-04-07 14:11:08 UTC
Red Hat Product Errata RHBA-2022:1270 0 None None None 2022-04-07 17:05:54 UTC
Red Hat Product Errata RHBA-2022:1288 0 None None None 2022-04-11 01:20:03 UTC
Red Hat Product Errata RHBA-2022:1293 0 None None None 2022-04-11 13:18:59 UTC
Red Hat Product Errata RHBA-2022:1313 0 None None None 2022-04-12 09:12:54 UTC
Red Hat Product Errata RHBA-2022:1314 0 None None None 2022-04-12 10:59:51 UTC
Red Hat Product Errata RHBA-2022:1318 0 None None None 2022-04-12 11:28:53 UTC
Red Hat Product Errata RHBA-2022:1381 0 None None None 2022-04-18 10:45:47 UTC
Red Hat Product Errata RHBA-2022:1395 0 None None None 2022-04-19 10:04:06 UTC
Red Hat Product Errata RHBA-2022:1397 0 None None None 2022-04-19 11:40:30 UTC
Red Hat Product Errata RHBA-2022:1400 0 None None None 2022-04-19 14:18:46 UTC
Red Hat Product Errata RHBA-2022:1486 0 None None None 2022-04-21 09:50:11 UTC
Red Hat Product Errata RHBA-2022:1494 0 None None None 2022-04-21 14:44:46 UTC
Red Hat Product Errata RHBA-2022:1497 0 None None None 2022-04-21 15:44:23 UTC
Red Hat Product Errata RHBA-2022:1498 0 None None None 2022-04-21 12:21:41 UTC
Red Hat Product Errata RHBA-2022:1638 0 None None None 2022-04-28 05:23:48 UTC
Red Hat Product Errata RHSA-2022:1065 0 None None None 2022-03-28 08:41:06 UTC
Red Hat Product Errata RHSA-2022:1066 0 None None None 2022-03-28 10:55:05 UTC
Red Hat Product Errata RHSA-2022:1071 0 None None None 2022-03-28 10:14:29 UTC
Red Hat Product Errata RHSA-2022:1073 0 None None None 2022-03-28 09:55:47 UTC
Red Hat Product Errata RHSA-2022:1076 0 None None None 2022-03-28 09:53:58 UTC
Red Hat Product Errata RHSA-2022:1077 0 None None None 2022-03-28 11:33:35 UTC
Red Hat Product Errata RHSA-2022:1078 0 None None None 2022-03-28 11:14:58 UTC
Red Hat Product Errata RHSA-2022:1082 0 None None None 2022-03-28 13:50:05 UTC
Red Hat Product Errata RHSA-2022:1091 0 None None None 2022-03-29 07:25:27 UTC
Red Hat Product Errata RHSA-2022:1112 0 None None None 2022-03-29 13:55:42 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:53 UTC
Red Hat Product Errata RHSA-2022:1389 0 None None None 2022-04-20 19:42:22 UTC
Red Hat Product Errata RHSA-2022:1390 0 None None None 2022-04-20 19:30:47 UTC
Red Hat Product Errata RHSA-2022:1476 0 None None None 2022-04-20 23:46:36 UTC
Red Hat Product Errata RHSA-2022:1519 0 None None None 2022-05-02 11:05:43 UTC
Red Hat Product Errata RHSA-2022:1520 0 None None None 2022-05-02 11:03:49 UTC
Red Hat Product Errata RHSA-2022:4896 0 None None None 2022-06-03 13:48:45 UTC
Red Hat Product Errata RHSA-2022:4899 0 None None None 2022-06-04 00:19:59 UTC
Red Hat Product Errata RHSA-2022:4956 0 None None None 2022-06-09 02:06:34 UTC
Red Hat Product Errata RHSA-2022:5326 0 None None None 2022-06-28 15:13:38 UTC

Description Mauro Matteo Cascella 2022-03-09 11:42:44 UTC
The BN_mod_sqrt() function, which computes a modular square root, contains
a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate
signature, any process that parses an externally supplied certificate may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from customers
Certificate authorities parsing certification requests from subscribers
Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the attacker
can control the parameter values are vulnerable to this DoS issue.

On the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.

OpenSSL 1.0.2 users should upgrade to 1.0.2zd
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2

This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy
from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz
from OpenSSL.

OpenSSL Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt

Upstream patch:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65

Comment 16 Mauro Matteo Cascella 2022-03-16 20:53:05 UTC
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2064917]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2064914]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2064911]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-all [bug 2064918]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2064913]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2064915]

Comment 31 errata-xmlrpc 2022-03-28 08:40:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1065 https://access.redhat.com/errata/RHSA-2022:1065

Comment 32 errata-xmlrpc 2022-03-28 09:53:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:1076 https://access.redhat.com/errata/RHSA-2022:1076

Comment 33 errata-xmlrpc 2022-03-28 09:55:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2022:1073 https://access.redhat.com/errata/RHSA-2022:1073

Comment 34 errata-xmlrpc 2022-03-28 10:14:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1071 https://access.redhat.com/errata/RHSA-2022:1071

Comment 37 errata-xmlrpc 2022-03-28 10:55:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1066 https://access.redhat.com/errata/RHSA-2022:1066

Comment 38 errata-xmlrpc 2022-03-28 11:14:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1078 https://access.redhat.com/errata/RHSA-2022:1078

Comment 39 errata-xmlrpc 2022-03-28 11:33:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1077 https://access.redhat.com/errata/RHSA-2022:1077

Comment 40 errata-xmlrpc 2022-03-28 13:50:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:1082 https://access.redhat.com/errata/RHSA-2022:1082

Comment 41 Christian Horn 2022-03-29 00:46:47 UTC
(In reply to errata-xmlrpc from comment #40)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 7.3 Advanced Update Support
> 
> Via RHSA-2022:1082 https://access.redhat.com/errata/RHSA-2022:1082

That is not yet reflected in bz2067222.  Seems to also apply to
other errata, like the 7.4.z fix.

Comment 42 errata-xmlrpc 2022-03-29 07:25:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:1091 https://access.redhat.com/errata/RHSA-2022:1091

Comment 44 errata-xmlrpc 2022-03-29 13:55:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:1112 https://access.redhat.com/errata/RHSA-2022:1112

Comment 55 errata-xmlrpc 2022-04-07 09:03:46 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263

Comment 56 Jace Liang 2022-04-14 08:10:02 UTC
Dear team,

I see our errata for RHEL 7 only upgrades openssl to openssl-1.0.2k-25.el7_9
But the description of this CVE noted that 'OpenSSL 1.0.2 users should upgrade to 1.0.2zd'
Is our RHSA-2022:1066 already fixes this CVE?

Comment 57 Dmitry Belyavskiy 2022-04-14 11:30:20 UTC
1.0.2zd is an upstream version, we normally don't rebase to a new upstream version on fixing CVE. We apply the patches fixing the vulnerability and increase our version. Yes, the patch was added to openssl-1.0.2k-25

Comment 58 Hubert Kario 2022-04-20 13:44:55 UTC
Jace, please see this article on the topic of backporting security fixes: https://access.redhat.com/security/updates/backporting

Comment 59 errata-xmlrpc 2022-04-20 19:30:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:1390 https://access.redhat.com/errata/RHSA-2022:1390

Comment 60 errata-xmlrpc 2022-04-20 19:42:14 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:1389 https://access.redhat.com/errata/RHSA-2022:1389

Comment 61 errata-xmlrpc 2022-04-20 23:46:29 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476

Comment 64 errata-xmlrpc 2022-05-02 11:03:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2022:1520 https://access.redhat.com/errata/RHSA-2022:1520

Comment 65 errata-xmlrpc 2022-05-02 11:05:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.6 on RHEL 7
  Red Hat JBoss Web Server 5.6 on RHEL 8

Via RHSA-2022:1519 https://access.redhat.com/errata/RHSA-2022:1519

Comment 66 john broome 2022-05-05 19:51:19 UTC
(In reply to errata-xmlrpc from comment #37)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 7
> 
> Via RHSA-2022:1066 https://access.redhat.com/errata/RHSA-2022:1066


This is super minor, but I just found it grepping the rpm changelog for this CVE.  The changelog lists the CVE that was fixed as CVE-2022-2078 (which doesn't exist) instead of CVE-2022-0778.

Here's what's in the changelog:

* Wed Mar 23 2022 Dmitry Belyavskiy <dbelyavs> - 1:1.0.2k-25
- Fixes CVE-2022-2078 Infinite loop in BN_mod_sqrt() reachable when parsing certificates
- Related: rhbz#2067160

Comment 75 errata-xmlrpc 2022-06-03 13:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:4896 https://access.redhat.com/errata/RHSA-2022:4896

Comment 76 errata-xmlrpc 2022-06-04 00:19:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4899 https://access.redhat.com/errata/RHSA-2022:4899

Comment 80 errata-xmlrpc 2022-06-09 02:06:29 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956

Comment 85 errata-xmlrpc 2022-06-28 15:13:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5326 https://access.redhat.com/errata/RHSA-2022:5326

Comment 87 Product Security DevOps Team 2022-07-01 01:24:44 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0778


Note You need to log in before you can comment on or make changes to this bug.