Bug 2087911 (CVE-2022-1343) - CVE-2022-1343 openssl: Signer certificate verification returns inaccurate response when using OCSP_NOCHECKS
Summary: CVE-2022-1343 openssl: Signer certificate verification returns inaccurate res...
Keywords:
Status: NEW
Alias: CVE-2022-1343
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2089439 2089440 2089472
Blocks: 2087910
TreeView+ depends on / blocked
 
Reported: 2022-05-18 14:21 UTC by Patrick Del Bello
Modified: 2022-06-24 05:54 UTC (History)
44 users (show)

Fixed In Version: openssl 3.0.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL's Online Certificate Status Protocol (OCSP) response functionality in the signer certificate verification routines. This flaw could result in a linked application falsely believing that an x.509 Digital Certificate is either "good" or "unknown" when revoked and requires that the application use a non-default configuration. This vulnerability leads to an issue with data integrity and confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Patrick Del Bello 2022-05-18 14:21:39 UTC
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
https://www.openssl.org/news/secadv/20220503.txt

Comment 2 Todd Cullum 2022-05-23 18:40:40 UTC
Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2089472]

Comment 3 Todd Cullum 2022-05-24 22:44:35 UTC
I dropped the severity to Moderate because the OCSP_NOCHECKS is not default, not expected to be commonly used, and also there is still an indication of failure at the CLI for the oscp application.


Note You need to log in before you can comment on or make changes to this bug.