The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167906] Affects: fedora-37 [bug 2167909] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167907] Affects: fedora-37 [bug 2167910] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167908] Affects: fedora-37 [bug 2167911] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167905] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167904]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4450
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408
This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421