Bug 1199169 (CVE-2022-1473) - VUL-0: CVE-2022-1473: openssl-3: Resource leakage when decoding certificates and keys
Summary: VUL-0: CVE-2022-1473: openssl-3: Resource leakage when decoding certificates...
Status: RESOLVED FIXED
Alias: CVE-2022-1473
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/330569/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1473:7.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-03 15:25 UTC by Marcus Meissner
Modified: 2024-05-03 13:21 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-05-03 15:25:53 UTC 
CVE-2022-1473

https://www.openssl.org/news/secadv/20220503.txt

Resource leakage when decoding certificates and keys (CVE-2022-1473)
====================================================================

Severity: Low

The OPENSSL_LH_flush() function, which empties a hash table, contains
a bug that breaks reuse of the memory occuppied by the removed hash
table entries.

This function is used when decoding certificates or keys. If a long lived
process periodically decodes certificates or keys its memory usage will
expand without bounds and the process might be terminated by the operating
system causing a denial of service. Also traversing the empty hash table
entries will take increasingly more time.

Typically such long lived processes might be TLS clients or TLS servers
configured to accept client certificate authentication.

The function was added in the OpenSSL 3.0 version thus older releases
are not affected by the issue.

It was addressed in the 3.0.3 release on the 3rd May 2022. The fix can be
found in git commit 64c85430f.

OpenSSL 1.0.2 users are not affected.
OpenSSL 1.1.1 users are not affected.
OpenSSL 3.0 users should upgrade to 3.0.3.

This issue was reported to OpenSSL on the 21st April 2022 by Aliaksei Levin.
The fix was developed by Hugo Landau from OpenSSL.
Comment 1 Jason Sikes 2022-06-24 07:27:47 UTC 
created request id 274710

Reassigning to Security Team.
Comment 4 Swamp Workflow Management 2022-07-06 16:33:04 UTC 
SUSE-SU-2022:2306-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185637,1199166,1199167,1199168,1199169,1200550,1201099
CVE References: CVE-2022-1292,CVE-2022-1343,CVE-2022-1434,CVE-2022-1473,CVE-2022-2068,CVE-2022-2097
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    openssl-3-3.0.1-150400.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    openssl-3-3.0.1-150400.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Pedro Monreal Gonzalez 2022-07-25 10:26:59 UTC 
Update to OpenSSL 3.0.5, accepted Factory submission:
 * https://build.opensuse.org/request/show/990536
Comment 9 Robert Frohl 2024-05-03 13:21:30 UTC 
done, closing