Home

CVE-2022-1473

Description

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
0.301

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292 are fixed in OpenSSL (x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292 are fixed in OpenSSL 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (64-bit) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (MSI)(x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL (MSI)(x86) 3.0.3Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 11.0.0.18Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.4.0Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Light 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Light (x64) 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Library 3.0.3Windows
Vulnerabilities CVE-2022-1473,CVE-2022-1434,CVE-2022-1343,CVE-2022-1292,CVE-2022-3786 are fixed in OpenSSL Library x86 3.0.3Windows
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl3_3.0.2-0ubuntu1.5_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl3_3.0.2-0ubuntu1.5_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1l-1ubuntu1.5_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1l-1ubuntu1.5_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1f-1ubuntu2.15_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1f-1ubuntu2.15_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.19_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.19_amd64.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.0.0_1.0.2n-1ubuntu5.10_i386.debLinux
Secure Socket Layer (SSL) cryptographic library and tools (USN-5402-1) libssl1.0.0_1.0.2n-1ubuntu5.10_amd64.debLinux
Openssl update (ELSA-2022-6224) openssl-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-devel update (ELSA-2022-6224) openssl-devel-3.0.1-41.0.1.el9_0.i686.rpmLinux
Openssl-devel update (ELSA-2022-6224) openssl-devel-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-libs update (ELSA-2022-6224) openssl-libs-3.0.1-41.0.1.el9_0.i686.rpmLinux
Openssl-libs update (ELSA-2022-6224) openssl-libs-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Openssl-perl update (ELSA-2022-6224) openssl-perl-3.0.1-41.0.1.el9_0.x86_64.rpmLinux
Incomplete Cleanup Vulnerability (CVE-2022-1473)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-355449OpenSSL (3.6.1)
PATCH-355451OpenSSL Light (3.6.1)
PATCH-355452OpenSSL Light (x64) (3.6.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234