Bug 2139104 (CVE-2022-3786) - CVE-2022-3786 OpenSSL: X.509 Email Address Variable Length Buffer Overflow
Summary: CVE-2022-3786 OpenSSL: X.509 Email Address Variable Length Buffer Overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3786
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2139105 2139106 2139107 2139151 2139152
Blocks: 2137628
TreeView+ depends on / blocked
 
Reported: 2022-11-01 13:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-11-10 11:13 UTC (History)
83 users (show)

Fixed In Version: openssl 3.0.7
Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow was found in the way OpenSSL processes X.509 certificates with a specially crafted email address field. This issue could cause a server or a client application compiled with OpenSSL to crash or possibly execute remote code when trying to process the malicious certificate.
Clone Of:
Environment:
Last Closed: 2022-11-10 11:13:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7426 0 None None None 2022-11-03 17:58:08 UTC
Red Hat Product Errata RHBA-2022:7429 0 None None None 2022-11-04 17:26:33 UTC
Red Hat Product Errata RHSA-2022:7288 0 None None None 2022-11-01 18:35:07 UTC
Red Hat Product Errata RHSA-2022:7384 0 None None None 2022-11-03 13:04:53 UTC

Description Guilherme de Almeida Suckevicz 2022-11-01 13:31:55 UTC 
As per upstream report:

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

OpenSSL versions 3.0.0 to 3.0.6 are vulnerable to this issue.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.7.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Comment 2 Sandipan Roy 2022-11-01 16:11:34 UTC 
The flaw is Public Now, Lifting Embargoed.
https://www.openssl.org/news/secadv/20221101.txt
Comment 3 Sandipan Roy 2022-11-01 16:12:16 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2139151]


Created openssl3 tracking bugs for this issue:

Affects: epel-all [bug 2139152]
Comment 5 errata-xmlrpc 2022-11-01 18:35:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7288 https://access.redhat.com/errata/RHSA-2022:7288
Comment 10 errata-xmlrpc 2022-11-03 13:04:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7384 https://access.redhat.com/errata/RHSA-2022:7384
Note You need to log in before you can comment on or make changes to this bug.