CVE-2022-4450
Vulnerability from cvelistv5
Published
2023-02-08 19:04
Modified
2024-08-03 01:41
Severity ?
Summary
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:41:44.632Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "OpenSSL Advisory",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20230207.txt"
          },
          {
            "name": "3.0.8 git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83"
          },
          {
            "name": "1.1.1t git commit",
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202402-08"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "lessThan": "3.0.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.1.1t",
              "status": "affected",
              "version": "1.1.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "CarpetFuzz"
        },
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Dawei Wang"
        },
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Marc Sch\u00f6nefeld"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Kurt Roeckx"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Matt Caswell"
        }
      ],
      "datePublic": "2023-02-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\u003cbr\u003edecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\u003cbr\u003eIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\u003cbr\u003epopulated with pointers to buffers containing the relevant decoded data. The\u003cbr\u003ecaller is responsible for freeing those buffers. It is possible to construct a\u003cbr\u003ePEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\u003cbr\u003ewill return a failure code but will populate the header argument with a pointer\u003cbr\u003eto a buffer that has already been freed. If the caller also frees this buffer\u003cbr\u003ethen a double free will occur. This will most likely lead to a crash. This\u003cbr\u003ecould be exploited by an attacker who has the ability to supply malicious PEM\u003cbr\u003efiles for parsing to achieve a denial of service attack.\u003cbr\u003e\u003cbr\u003eThe functions PEM_read_bio() and PEM_read() are simple wrappers around\u003cbr\u003ePEM_read_bio_ex() and therefore these functions are also directly affected.\u003cbr\u003e\u003cbr\u003eThese functions are also called indirectly by a number of other OpenSSL\u003cbr\u003efunctions including PEM_X509_INFO_read_bio_ex() and\u003cbr\u003eSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\u003cbr\u003euses of these functions are not vulnerable because the caller does not free the\u003cbr\u003eheader argument if PEM_read_bio_ex() returns a failure code. These locations\u003cbr\u003einclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\u003cbr\u003eOpenSSL 3.0.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eThe OpenSSL asn1parse command line application is also impacted by this issue.\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\nPEM_read_bio_ex() and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including PEM_X509_INFO_read_bio_ex() and\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\nOpenSSL 3.0.\n\nThe OpenSSL asn1parse command line application is also impacted by this issue.\n\n\n"
        }
      ],
      "metrics": [
        {
          "format": "other",
          "other": {
            "content": {
              "text": "Moderate"
            },
            "type": "https://www.openssl.org/policies/secpolicy.html"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "double-free",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-24T14:53:33.164Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "OpenSSL Advisory",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.openssl.org/news/secadv/20230207.txt"
        },
        {
          "name": "3.0.8 git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83"
        },
        {
          "name": "1.1.1t git commit",
          "tags": [
            "patch"
          ],
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b"
        },
        {
          "url": "https://security.gentoo.org/glsa/202402-08"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Double free after calling PEM_read_bio_ex",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2022-4450",
    "datePublished": "2023-02-08T19:04:04.874Z",
    "dateReserved": "2022-12-13T13:38:08.598Z",
    "dateUpdated": "2024-08-03T01:41:44.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-4450\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2023-02-08T20:15:23.973\",\"lastModified\":\"2024-11-21T07:35:17.197\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and\\ndecodes the \\\"name\\\" (e.g. \\\"CERTIFICATE\\\"), any header data and the payload data.\\nIf the function succeeds then the \\\"name_out\\\", \\\"header\\\" and \\\"data\\\" arguments are\\npopulated with pointers to buffers containing the relevant decoded data. The\\ncaller is responsible for freeing those buffers. It is possible to construct a\\nPEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()\\nwill return a failure code but will populate the header argument with a pointer\\nto a buffer that has already been freed. If the caller also frees this buffer\\nthen a double free will occur. This will most likely lead to a crash. This\\ncould be exploited by an attacker who has the ability to supply malicious PEM\\nfiles for parsing to achieve a denial of service attack.\\n\\nThe functions PEM_read_bio() and PEM_read() are simple wrappers around\\nPEM_read_bio_ex() and therefore these functions are also directly affected.\\n\\nThese functions are also called indirectly by a number of other OpenSSL\\nfunctions including PEM_X509_INFO_read_bio_ex() and\\nSSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal\\nuses of these functions are not vulnerable because the caller does not free the\\nheader argument if PEM_read_bio_ex() returns a failure code. These locations\\ninclude the PEM_read_bio_TYPE() functions as well as the decoders introduced in\\nOpenSSL 3.0.\\n\\nThe OpenSSL asn1parse command line application is also impacted by this issue.\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.1\",\"versionEndExcluding\":\"1.1.1t\",\"matchCriteriaId\":\"DE0061D6-8F81-45D3-B254-82A94915FD08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.8\",\"matchCriteriaId\":\"A6DC5D88-4E99-48F2-8892-610ACA9B5B86\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.3.16\",\"matchCriteriaId\":\"F7794B42-8235-4C75-866F-5D0A405F0989\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.6.3\",\"matchCriteriaId\":\"C8A23A5D-928A-4225-9C93-31E5DFE215A7\"}]}]}],\"references\":[{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202402-08\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.openssl.org/news/secadv/20230207.txt\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202402-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.openssl.org/news/secadv/20230207.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.