Bug 1199167 (CVE-2022-1343) - VUL-0: CVE-2022-1343: openssl-3: OCSP_basic_verify may incorrectly verify the response signing certificate
Summary: VUL-0: CVE-2022-1343: openssl-3: OCSP_basic_verify may incorrectly verify the...
Status: RESOLVED FIXED
Alias: CVE-2022-1343
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/330567/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1343:6.1:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-03 15:17 UTC by Marcus Meissner
Modified: 2024-06-07 07:54 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-05-03 15:17:19 UTC 
CVE-2022-1343


https://www.openssl.org/news/secadv/20220503.txt

OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343)
=========================================================================================

Severity: Moderate

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP
response. In the case where the (non-default) flag OCSP_NOCHECKS is used then
the response will be positive (meaning a successful verification) even in the
case where the response signing certificate fails to verify.

It is anticipated that most users of `OCSP_basic_verify` will not use the
OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return
a negative value (indicating a fatal error) in the case of a certificate
verification failure. The normal expected return value in this case would be 0.

This issue also impacts the command line OpenSSL "ocsp" application. When
verifying an ocsp response with the "-no_cert_checks" option the command line
application will report that the verification is successful even though it has
in fact failed. In this case the incorrect successful response will also be
accompanied by error messages showing the failure and contradicting the
apparently successful result.

This issue affects OpenSSL version 3.0.

OpenSSL 3.0 users should upgrade to 3.0.3

This issue was reported to OpenSSL on the 6th April 2022 by Raul Metsma. The fix
was developed by Matt Caswell from OpenSSL.
Comment 2 Jason Sikes 2022-06-24 07:28:12 UTC 
created request id 274710

Reassigning to Security Team.
Comment 5 Swamp Workflow Management 2022-07-06 16:32:56 UTC 
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Pedro Monreal Gonzalez 2022-07-25 10:27:38 UTC 
Update to OpenSSL 3.0.5, accepted Factory submission:
 * https://build.opensuse.org/request/show/990536