CVE-2022-4450

Name
CVE-2022-4450
Description
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://www.openssl.org/news/secadv/20230207.txt
patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
openssl-security@openssl.org https://security.gentoo.org/glsa/202402-08
af854a3a-2127-422b-91ae-364da2661108 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* openssl >= 3.0.0 < 3.0.8
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* openssl >= 1.1.1 < 1.1.1t

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
openssl1.1-compat edge-community 1.1.1t-r0 Timo Teras <timo.teras@iki.fi> fixed
openssl1.1-compat 3.18-community 1.1.1t-r0 None fixed
openssl1.1-compat 3.17-community 1.1.1t-r0 Timo Teras <timo.teras@iki.fi> fixed
openssl edge-main 3.0.8-r0 Ariadne Conill <ariadne@dereferenced.org> fixed
openssl edge-main 3.0.7-r2 Ariadne Conill <ariadne@dereferenced.org> possibly vulnerable
openssl edge-main 3.0.7-r0 Ariadne Conill <ariadne@dereferenced.org> possibly vulnerable
openssl edge-main 3.0.6-r0 Ariadne Conill <ariadne@dereferenced.org> possibly vulnerable
openssl edge-main 3.0.5-r0 None possibly vulnerable
openssl edge-main 3.0.3-r0 None possibly vulnerable
openssl edge-main 3.0.2-r0 None possibly vulnerable
openssl edge-main 3.0.1-r0 None possibly vulnerable
openssl edge-main 1.1.1q-r0 Timo Teras <timo.teras@iki.fi> possibly vulnerable
openssl edge-main 1.1.1o-r0 Timo Teras <timo.teras@iki.fi> possibly vulnerable
openssl edge-main 1.1.1n-r0 Timo Teras <timo.teras@iki.fi> possibly vulnerable
openssl edge-main 1.1.1l-r0 Timo Teras <timo.teras@iki.fi> possibly vulnerable
openssl edge-main 1.1.1k-r0 Timo Teras <timo.teras@iki.fi> possibly vulnerable
openssl edge-main 1.1.1j-r0 None possibly vulnerable
openssl edge-main 1.1.1i-r0 None possibly vulnerable
openssl edge-main 1.1.1g-r0 None possibly vulnerable
openssl edge-main 1.1.1d-r3 None possibly vulnerable
openssl edge-main 1.1.1d-r1 None possibly vulnerable
openssl edge-main 1.1.1b-r1 None possibly vulnerable
openssl edge-main 1.1.1a-r0 None possibly vulnerable
openssl 3.22-main 3.0.8-r0 None fixed
openssl 3.22-main 3.0.7-r2 None possibly vulnerable
openssl 3.22-main 3.0.7-r0 None possibly vulnerable
openssl 3.22-main 3.0.6-r0 None possibly vulnerable
openssl 3.22-main 3.0.5-r0 None possibly vulnerable
openssl 3.22-main 3.0.3-r0 None possibly vulnerable
openssl 3.22-main 3.0.2-r0 None possibly vulnerable
openssl 3.22-main 3.0.1-r0 None possibly vulnerable
openssl 3.22-main 1.1.1l-r0 None possibly vulnerable
openssl 3.22-main 1.1.1k-r0 None possibly vulnerable
openssl 3.22-main 1.1.1j-r0 None possibly vulnerable
openssl 3.22-main 1.1.1i-r0 None possibly vulnerable
openssl 3.22-main 1.1.1g-r0 None possibly vulnerable
openssl 3.22-main 1.1.1d-r3 None possibly vulnerable
openssl 3.22-main 1.1.1d-r1 None possibly vulnerable
openssl 3.22-main 1.1.1b-r1 None possibly vulnerable
openssl 3.22-main 1.1.1a-r0 None possibly vulnerable
openssl 3.21-main 3.0.8-r0 None fixed
openssl 3.21-main 3.0.7-r2 None possibly vulnerable
openssl 3.21-main 3.0.7-r0 None possibly vulnerable
openssl 3.21-main 3.0.6-r0 None possibly vulnerable
openssl 3.21-main 3.0.5-r0 None possibly vulnerable
openssl 3.21-main 3.0.3-r0 None possibly vulnerable
openssl 3.21-main 3.0.2-r0 None possibly vulnerable
openssl 3.21-main 3.0.1-r0 None possibly vulnerable
openssl 3.21-main 1.1.1l-r0 None possibly vulnerable
openssl 3.21-main 1.1.1k-r0 None possibly vulnerable
openssl 3.21-main 1.1.1j-r0 None possibly vulnerable
openssl 3.21-main 1.1.1i-r0 None possibly vulnerable
openssl 3.21-main 1.1.1g-r0 None possibly vulnerable
openssl 3.21-main 1.1.1d-r3 None possibly vulnerable
openssl 3.21-main 1.1.1d-r1 None possibly vulnerable
openssl 3.21-main 1.1.1b-r1 None possibly vulnerable
openssl 3.21-main 1.1.1a-r0 None possibly vulnerable
openssl 3.20-main 3.0.8-r0 None fixed
openssl 3.20-main 3.0.7-r2 None possibly vulnerable
openssl 3.20-main 3.0.7-r0 None possibly vulnerable
openssl 3.20-main 3.0.6-r0 None possibly vulnerable
openssl 3.20-main 3.0.5-r0 None possibly vulnerable
openssl 3.20-main 3.0.3-r0 None possibly vulnerable
openssl 3.20-main 3.0.2-r0 None possibly vulnerable
openssl 3.20-main 3.0.1-r0 None possibly vulnerable
openssl 3.20-main 1.1.1l-r0 None possibly vulnerable
openssl 3.20-main 1.1.1k-r0 None possibly vulnerable
openssl 3.20-main 1.1.1j-r0 None possibly vulnerable
openssl 3.20-main 1.1.1i-r0 None possibly vulnerable
openssl 3.20-main 1.1.1g-r0 None possibly vulnerable
openssl 3.20-main 1.1.1d-r3 None possibly vulnerable
openssl 3.20-main 1.1.1d-r1 None possibly vulnerable
openssl 3.20-main 1.1.1b-r1 None possibly vulnerable
openssl 3.20-main 1.1.1a-r0 None possibly vulnerable
openssl 3.19-main 3.0.8-r0 None fixed
openssl 3.19-main 3.0.7-r2 None possibly vulnerable
openssl 3.19-main 3.0.7-r0 None possibly vulnerable
openssl 3.19-main 3.0.6-r0 None possibly vulnerable
openssl 3.19-main 3.0.5-r0 None possibly vulnerable
openssl 3.19-main 3.0.3-r0 None possibly vulnerable
openssl 3.19-main 3.0.2-r0 None possibly vulnerable
openssl 3.19-main 3.0.1-r0 None possibly vulnerable
openssl 3.19-main 1.1.1l-r0 None possibly vulnerable
openssl 3.19-main 1.1.1k-r0 None possibly vulnerable
openssl 3.19-main 1.1.1j-r0 None possibly vulnerable
openssl 3.19-main 1.1.1i-r0 None possibly vulnerable
openssl 3.19-main 1.1.1g-r0 None possibly vulnerable
openssl 3.19-main 1.1.1d-r3 None possibly vulnerable
openssl 3.19-main 1.1.1d-r1 None possibly vulnerable
openssl 3.19-main 1.1.1b-r1 None possibly vulnerable
openssl 3.19-main 1.1.1a-r0 None possibly vulnerable
openssl 3.18-main 3.0.8-r0 None fixed
openssl 3.17-main 3.0.8-r0 Ariadne Conill <ariadne@dereferenced.org> fixed