CVE-2022-3996
X.509 Policy Constraints Double Locking
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively. On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs. Policy
processing being enabled on a publicly facing server is not considered
to be a common setup.
Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Update (31 March 2023): The description of the policy processing enablement
was corrected based on CVE-2023-0466.
Si un certificado X.509 contiene una restricción de política con formato incorrecto y el procesamiento de políticas está habilitado, se aplicará un bloqueo de escritura dos veces de forma recursiva. En algunos sistemas operativos (más ampliamente: Windows), esto resulta en una Denegación de Servicio (DoS) cuando el proceso afectado se bloquea. La habilitación del procesamiento de políticas en un servidor público no se considera una configuración común. El procesamiento de políticas se habilita pasando el argumento `-policy' a las utilidades de línea de comando o llamando a la función `X509_VERIFY_PARAM_set1_policies()'. Actualización (31 de marzo de 2023): la descripción de la habilitación del procesamiento de políticas se corrigió según CVE-2023-0466.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-11-15 CVE Reserved
- 2022-12-13 CVE Published
- 2024-07-05 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-667: Improper Locking
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7 | 2023-11-07 |
URL | Date | SRC |
---|---|---|
https://www.openssl.org/news/secadv/20221213.txt | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 3.0.0 <= 3.0.7 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 <= 3.0.7" | - |
Affected
|