CVE-2022-3996
X.509 Policy Constraints Double Locking
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively. On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs. Policy
processing being enabled on a publicly facing server is not considered
to be a common setup. Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement
was corrected based on CVE-2023-0466.
Si un certificado X.509 contiene una restricción de política con formato incorrecto y el procesamiento de políticas está habilitado, se aplicará un bloqueo de escritura dos veces de forma recursiva. En algunos sistemas operativos (más ampliamente: Windows), esto resulta en una Denegación de Servicio (DoS) cuando el proceso afectado se bloquea. La habilitación del procesamiento de políticas en un servidor público no se considera una configuración común. El procesamiento de políticas se habilita pasando el argumento `-policy' a las utilidades de línea de comando o llamando a la función `X509_VERIFY_PARAM_set1_policies()'. Actualización (31 de marzo de 2023): la descripción de la habilitación del procesamiento de políticas se corrigió según CVE-2023-0466.
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
It was discovered that OpenSSL was not properly managing file locks when processing policy constraints. If a user or automated system were tricked into processing a certificate chain with specially crafted policy constraints, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. David Benjamin discovered that OpenSSL was not properly performing the verification of X.509 certificate chains that include policy constraints, which could lead to excessive resource consumption. If a user or automated system were tricked into processing a specially crafted X.509 certificate chain that includes policy constraints, a remote attacker could possibly use this issue to cause a denial of service.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2022-11-15 CVE Reserved
- 2022-12-13 CVE Published
- 2024-08-03 CVE Updated
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-667: Improper Locking
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7 | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://www.openssl.org/news/secadv/20221213.txt | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 3.0.0 <= 3.0.7 Search vendor "Openssl" for product "Openssl" and version " >= 3.0.0 <= 3.0.7" | - |
Affected
| ||||||