CVE-2022-2097
Vulnerability Summary
Timeline
Description
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.51%• Percentile: 67%
Techniques & Countermeasures
- CWE-327•Use of a Broken or Risky Cryptographic Algorithm
The product uses a broken or risky cryptographic algorithm or protocol.
Affected Systems
- Crates.Io•openssl-src
< 111.22.0 | ≥ 300.0.0, < 300.0.9
- debian•debian_linux
10.0 | 11.0
- fedoraproject•fedora
35 | 36
- netapp•active_iq_unified_manager
na
- netapp•clustered_data_ontap_antivirus_connector
na
- netapp•h300s_firmware
na
- netapp•h410c_firmware
na
- netapp•h410s_firmware
na
- netapp•h500s_firmware
na
- netapp•h700s_firmware
na
- Unknown•OpenSSL
≥ 1.1.1, < 1.1.1q | ≥ 3.0.0, < 3.0.5 | Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4) | Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p)
- siemens•sinec_ins
< 1.0 | 1.0 | 1.0:sp1 | 1.0:sp2
References (28)
- https://www.openssl.org/news/secadv/20220705.txt
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/
- https://security.netapp.com/advisory/ntap-20220715-0011/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/
- https://security.gentoo.org/glsa/202210-02
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://www.debian.org/security/2023/dsa-5343
- https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html
- https://security.netapp.com/advisory/ntap-20230420-0008/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://nvd.nist.gov/vuln/detail/CVE-2022-2097
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://security.netapp.com/advisory/ntap-20230420-0008
- https://security.netapp.com/advisory/ntap-20220715-0011
- https://rustsec.org/advisories/RUSTSEC-2022-0032.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK
- https://github.com/alexcrichton/openssl-src-rs
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431
- https://crates.io/crates/openssl-src