OpenSSL Security Advisory
Matt Caswell
matt at openssl.org
Tue Jun 21 14:35:58 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenSSL Security Advisory [21 June 2022]
========================================
The c_rehash script allows command injection (CVE-2022-2068)
============================================================
Severity: Moderate
In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further circumstances where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection were
found by code review.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.
OpenSSL 1.0.2 users should upgrade to 1.0.2zf (premium support customers only)
OpenSSL 1.1.1 users should upgrade to 1.1.1p
OpenSSL 3.0 users should upgrade to 3.0.4
This issue was reported to OpenSSL on the 20th May 2022. It was found by
Chancen of Qingteng 73lab. A further instance of the issue was found by
Daniel Fiala of OpenSSL during a code review of the script. The fix for
these issues was developed by Daniel Fiala and Tomas Mraz from OpenSSL.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of these issues on OpenSSL 1.1.0 has not been analysed.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220621.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmKx1vMACgkQ2cTSbQ5g
RJFo3gf/XY0cjt1lXtTrGBGu5lDf6Gou7USlUy4lo0wQwkHJ11b2PDxINS+xGNzp
GoOSxCGcQEPrUPkQTwbTtVxSDKuIkQmQG0py155zUrKzsRTad3rIsHy+NzfweBW+
RSwTYZT702J5XRMkeaLhzqG2WY5fxibydaKRKIU2IcyvOQP4tEdrRBQ1taaYKORG
ZZmlcL8Et96YgbFDotLJAeZQ9nbOnHEti7zGCvp48klOqc4llH+0QnHmRsJFxO2F
QHNd0ZUsb0gzVajEOz1rBEIotS4tYDltRCkgJz7evJSPrXrbbacXflfHGsveWjgw
h8Wr4I7UK1liE3lmb5LuW/BXf7CAQg==
=31ys
-----END PGP SIGNATURE-----
More information about the openssl-announce
mailing list