Home

CVE-2022-1343

Description

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL ocsp application. When verifying an ocsp response with the -no_cert_checks option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
Exploitation Probability
0.145

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292 are fixed in OpenSSL (x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292 are fixed in OpenSSL 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (64-bit) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (MSI)(x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (MSI)(x86) 3.0.3Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.18Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.4.0Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Light 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Light (x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Library 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Library x86 3.0.3Windows
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl3_3.0.2-0ubuntu1.5_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl3_3.0.2-0ubuntu1.5_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1l-1ubuntu1.5_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1l-1ubuntu1.5_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1f-1ubuntu2.15_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1f-1ubuntu2.15_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.19_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.19_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.0.0_1.0.2n-1ubuntu5.10_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.0.0_1.0.2n-1ubuntu5.10_amd64.debLinux
Openssl update (ELSA-2022-6224) openssl-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-devel update (ELSA-2022-6224) openssl-devel-3.0.1-41.0.1.el9_0.i686.rpmLinux
Openssl-devel update (ELSA-2022-6224) openssl-devel-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-libs update (ELSA-2022-6224) openssl-libs-3.0.1-41.0.1.el9_0.i686.rpmLinux
Openssl-libs update (ELSA-2022-6224) openssl-libs-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-perl update (ELSA-2022-6224) openssl-perl-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Improper Certificate Validation Vulnerability (CVE-2022-1343)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-355449OpenSSL (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234