SUBJECT: Action Required: OpenSSL 1.1.1 Vulnerability Mitigation
TECH STACK: OpenSSL
DATE(S) ISSUED: 06/21/2022
NVD LAST MODIFIED: 10/19/2023
CRITICALITY: CRITICAL
OVERVIEW: This advisory outlines necessary actions to address a critical vulnerability in OpenSSL versions prior to 1.1.1p, identified under CVE-2022-2068. The vulnerability stems from improper sanitation of shell metacharacters by the c_rehash script, potentially leading to command injection attacks. This document details the vulnerability and provides steps for mitigation to safeguard your systems against potential exploits.
VULNERABILITY DETAILS:
- CVE-2022-2068 concerns a scenario where the
c_rehash script, used for rehashing SSL certificates, fails to properly sanitize input. This flaw could allow an attacker to execute arbitrary commands with the script's privileges. The issue also extends to OpenSSL versions 3.0.0 through 3.0.3 and 1.0.2 through 1.0.2ze.
- The use of
c_rehash is deemed obsolete, with the recommendation to use the OpenSSL rehash command line tool instead.
SOLUTION/MITIGATION:
- Immediate Upgrade: Update to OpenSSL version 1.1.1p or newer. This update addresses the vulnerability and ensures enhanced security measures are in place.
- Discontinue
c_rehash Usage: Transition to using the rehash tool for certificate hashing tasks to avoid the vulnerabilities associated with c_rehash.
ADDITIONAL INFORMATION:
- Severity: Critical, with a CVSS v3 base score of 9.8, indicating a high risk of exploitability.
- Exploit Availability: Yes. Exploits for this vulnerability are known to be available, making immediate action crucial.
- Patch Publication Date: 06/21/2022
VERIFICATION:
- Verify the successful upgrade of OpenSSL by checking the installed version.
- Confirm the discontinuation of
c_rehash in favor of the recommended tool.
REFERENCES:
- CVE-2022-2068: For detailed information on the vulnerability.
- OpenSSL Advisory: OpenSSL Security Advisory 20220621 provides comprehensive details on affected versions and the vulnerability.
ACTION ITEMS:
- Review and identify any instances of OpenSSL versions prior to 1.1.1p.
- Schedule and perform the necessary upgrades to OpenSSL version 1.1.1p or later.
- Replace any usage of the
c_rehash script with the rehash tool.
- Monitor for any related security advisories or updates from OpenSSL.
Your prompt attention to this matter is essential to maintain the security and integrity of your systems.
