Bug 2081494 (CVE-2022-1292) - CVE-2022-1292 openssl: c_rehash script allows command injection
Summary: CVE-2022-1292 openssl: c_rehash script allows command injection
Keywords:
Status: NEW
Alias: CVE-2022-1292
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2081827 2090361 2090362 2090372 2090386 2095798 2095799 2095800 2095814 2095815 2095816 2095817 2111157 2090371 2090388 2090566 2095801 2095802 2095812 2095813 2095818
Blocks: 2081495
TreeView+ depends on / blocked
 
Reported: 2022-05-03 21:53 UTC by Patrick Del Bello
Modified: 2022-08-03 13:00 UTC (History)
102 users (show)

Fixed In Version: openssl 1.0.2ze, openssl 1.1.1o, openssl 3.0.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. The `c_rehash` script does not properly sanitize shell meta-characters to prevent command injection. Some operating systems distribute this script in a manner where it is automatically executed. This flaw allows an attacker to execute arbitrary commands with the privileges of the script on these operating systems.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5818 0 None None None 2022-08-03 13:00:21 UTC

Description Patrick Del Bello 2022-05-03 21:53:57 UTC
The c_rehash script does not properly sanitise shell metacharacters to
prevent command injection.  This script is distributed by some operating
systems in a manner where it is automatically executed.  On such operating
systems, an attacker could execute arbitrary commands with the privileges
of the script.

Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2ze 
OpenSSL 1.1.1 users should upgrade to 1.1.1o
OpenSSL 3.0 users should upgrade to 3.0.3

Comment 9 Mauro Matteo Cascella 2022-06-10 16:06:00 UTC
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2095816]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2095815]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2095812]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-all [bug 2095817]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2095813]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2095814]


Created shim tracking bugs for this issue:

Affects: fedora-all [bug 2095818]

Comment 11 errata-xmlrpc 2022-08-03 13:00:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5818 https://access.redhat.com/errata/RHSA-2022:5818


Note You need to log in before you can comment on or make changes to this bug.