[FREEBSD:EA05C456-A4FD-11EC-90DE-1C697AA5A594] OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates
Severity
High
Affected Packages
6
CVEs
1
The OpenSSL project reports:
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(High)
The BN_mod_sqrt() function, which computes a modular square root,
contains a bug that can cause it to loop forever for non-prime
moduli.
Internally this function is used when parsing certificates that
contain elliptic curve public keys in compressed form or explicit
elliptic curve parameters with a base point encoded in compressed
form.
It is possible to trigger the infinite loop by crafting a
certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate signature, any process that parses an externally
supplied certificate may thus be subject to a denial of service
attack. The infinite loop can also be reached when parsing crafted
private keys as they can contain explicit elliptic curve
parameters.
Thus vulnerable situations include:
TLS clients consuming server certificates
TLS servers consuming client certificates
Hosting providers taking certificates or private keys from
customers
Certificate authorities parsing certification requests from
subscribers
Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker can control the parameter values are vulnerable to this DoS
issue.
| Package | Affected Version |
|---|---|
 pkg:freebsd/openssl-quictls
|
< 3.0.2 |
|
pkg:freebsd/openssl-devel
|
< 3.0.2 |
|
pkg:freebsd/openssl
|
< 1.1.1n,1 |
|
pkg:freebsd/libressl-devel
|
< 3.5.1 |
|
pkg:freebsd/libressl
|
< 3.4.3 |
|
pkg:freebsd/FreeBSD
|
< 13.0_8 |
- ID
- FREEBSD:EA05C456-A4FD-11EC-90DE-1C697AA5A594
- Severity
- high
- Severity from
- CVE-2022-0778
- URL
- http://vuxml.freebsd.org/freebsd/ea05c456-a4fd-11ec-90de-1c697aa5a594.html
- Published
-
2022-03-15T00:00:00
(2 years ago) - Modified
-
2022-03-16T00:00:00
(2 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
-
ALAS-2022-1575
-
ALAS2-2022-1766
-
ALAS2-2024-2502
-
ALPINE:CVE-2022-0778
-
ALSA-2022:1065
-
ALSA-2022:5326
-
DSA-5103-1
-
ELSA-2022-1065
-
ELSA-2022-1066
-
ELSA-2022-4899
-
ELSA-2022-5326
-
ELSA-2022-9224
-
ELSA-2022-9225
-
ELSA-2022-9233
-
ELSA-2022-9237
-
ELSA-2022-9243
-
ELSA-2022-9246
-
ELSA-2022-9249
-
ELSA-2022-9255
-
ELSA-2022-9258
-
ELSA-2022-9272
-
FEDORA-2022-8bb51f6901
-
FEDORA-2022-9e88b5d8d7
-
FEDORA-2022-a5f51502f0
-
FREEBSD:ADD683BE-BD76-11EC-A06F-D4C9EF517024
-
GLSA-202210-02
-
GLSA-202405-29
-
MS:CVE-2022-0778
-
openSUSE-SU-2022:0856-1
-
RHSA-2022:1065
-
RHSA-2022:1066
-
RHSA-2022:4899
-
RHSA-2022:5326
-
RLSA-2022:1065
-
RLSA-2022:4899
-
RLSA-2022:5326
-
RUSTSEC-2022-0014
-
SECADV-20220315-1
-
SSA:2022-076-02
-
SUSE-SU-2022:0851-1
-
SUSE-SU-2022:0853-1
-
SUSE-SU-2022:0854-1
-
SUSE-SU-2022:0856-1
-
SUSE-SU-2022:0857-1
-
SUSE-SU-2022:0859-1
-
SUSE-SU-2022:0860-1
-
SUSE-SU-2022:0861-1
-
SUSE-SU-2022:0935-1
-
SUSE-SU-2022:1459-1
-
SUSE-SU-2022:1461-1
-
SUSE-SU-2022:1462-1
-
SUSE-SU-2022:1536-1
-
USN-5328-1
-
USN-5328-2
-
USN-6457-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| FreeBSD VuXML |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:freebsd/openssl-quictls |
openssl-quictls
|
< 3.0.2 | ||||
| Affected | pkg:freebsd/openssl-devel |
openssl-devel
|
< 3.0.2 | ||||
| Affected | pkg:freebsd/openssl |
openssl
|
< 1.1.1n,1 | ||||
| Affected | pkg:freebsd/libressl-devel |
libressl-devel
|
< 3.5.1 | ||||
| Affected | pkg:freebsd/libressl |
libressl
|
< 3.4.3 | ||||
| Affected | pkg:freebsd/FreeBSD |
FreeBSD
|
< 13.0_8 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |