When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
Created edk2 tracking bugs for this issue: Affects: fedora-all [bug 2099974] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 2099971] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 2099972] Created openssl1.1 tracking bugs for this issue: Affects: fedora-all [bug 2099975] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2099969] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2099970] Created shim tracking bugs for this issue: Affects: fedora-all [bug 2099973]
OpenSSL Security Advisory: https://www.openssl.org/news/secadv/20220621.txt Upstream commits: https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa [OpenSSL 3.0.4] https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 [OpenSSL 1.1.1p] https://github.com/openssl/openssl/commit/7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9 [OpenSSL 1.0.2zf]
Follow-up commit: https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739 [OpenSSL 3.0.4]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5818 https://access.redhat.com/errata/RHSA-2022:5818
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6224 https://access.redhat.com/errata/RHSA-2022:6224
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2068
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2022:8917 https://access.redhat.com/errata/RHSA-2022:8917
This issue has been addressed in the following products: JWS 5.7.1 release Via RHSA-2022:8913 https://access.redhat.com/errata/RHSA-2022:8913
This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:5931 https://access.redhat.com/errata/RHSA-2023:5931
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5979
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2023:5980 https://access.redhat.com/errata/RHSA-2023:5980
This issue has been addressed in the following products: Satellite Client 6 for RHEL 6 Satellite Client 6 for RHEL 7 Satellite Client 6 for RHEL 8 Satellite Client 6 for RHEL 9 Via RHSA-2023:5982 https://access.redhat.com/errata/RHSA-2023:5982
This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818