OpenSSL Security Advisory

Tomas Mraz tomas at openssl.org
Tue Dec 13 13:24:56 UTC 2022


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenSSL Security Advisory [13 December 2022]
============================================

X.509 Policy Constraints Double Locking (CVE-2022-3996)
=======================================================

Severity: Low

If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively.  On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs.  Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.

Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling either
`X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()'
functions.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.  However due
to the low severity of this issue we are not creating a new release at
this time.  The mitigation for this issue can be found in commit 7725e7bfe.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8 once it is released.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was discovered on 7th November 2022 by Polar Bear.
The fix was developed by Dr Paul Dale.

We have no evidence of this issue being exploited as of the time of
release of this advisory (December 13th 2022).

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221213.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEE3HAyZir4heL0fyQ/UnRmohynnm0FAmOYehASHHRvbWFzQG9w
ZW5zc2wub3JnAAoJEFJ0ZqIcp55tRVsQAIW6PehuBCAjLZLWRlx85qIkGSKSuQoR
K+Fl9C3zT2DOg0kldhE4rHRDoAOKhle9dOh4J46NVQ8TCPZYN9D0CTHpyY4YEOye
CEyrozcaHnO9TwnWoFMhx76Vo9IMujogK+A/0pO7qACTJNsSlix/zWAkkzoD5Esi
BJdlQMlLSi92cHISzY3YoY3td0BlR3b8/SQBeUj8O4n80c6P89U7cti9WyN+KSep
gkB36n4k4cPQXTCB/K8OUC1F8az3PmndOKgxmo19cMWgElW06rFyYvhyWcv1ObjR
dZxXbq8CV4pv4WexsFF8y0f8xplPi5kcdOe8mJMoPGCC0aRvhVDMxmE4r9/Xq8LL
aZD6nYx4LBHBsdMsVuCLwds+BIhMYqs9KmjjxRRJDdMXpSCQT6LH2YfkevhIITfa
bSb0TyX+1dSVieFr70pFDP/Fd1add7ktS+lu54i0oH8f1hQDmh7s+SXjcM3ULcXE
REie5EZWALZX4T7gXNMeWIcNn7UL6xg7EU8Fq7aWy9bIyyy7d5GmFamLPLLzQc4s
gs2DBkYiwpW/KuCksfGro1FQVMVxanVaFvqnYpl/W092F/JbN7XC2MLP7L6eGMKz
RTvLpZ46c+nGfZ5Cx/dvv1efLfcAg1KX+182ITSjL7v/7XW4i1TOfzBmyZm6Vd9g
37jOuJ7uCQWG
=r/+J
-----END PGP SIGNATURE-----


More information about the openssl-users mailing list