First published: Wed Mar 09 2022(Updated: )
A flaw was found in OpenSSL. It is possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.
Credit: openssl-security@openssl.org CVE-2022-0778 CVE-2022-0778 CVE-2022-0778 openssl-security@openssl.org openssl-security@openssl.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.el8 | 0:1.6.1-91.el8 |
redhat/jbcs-httpd24-curl | <0:7.78.0-3.el8 | 0:7.78.0-3.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-80.el8 | 0:2.4.37-80.el8 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.el8 | 0:1.39.2-41.el8 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.el8 | 1:1.1.1g-11.el8 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.el8 | 0:1.0.0-11.el8 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.el8 | 0:0.4.10-26.el8 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.jbcs.el7 | 0:1.6.1-91.jbcs.el7 |
redhat/jbcs-httpd24-curl | <0:7.78.0-3.jbcs.el7 | 0:7.78.0-3.jbcs.el7 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-80.jbcs.el7 | 0:2.4.37-80.jbcs.el7 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.jbcs.el7 | 0:1.39.2-41.jbcs.el7 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.jbcs.el7 | 1:1.1.1g-11.jbcs.el7 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.jbcs.el7 | 0:1.0.0-11.jbcs.el7 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.jbcs.el7 | 0:0.4.10-26.jbcs.el7 |
redhat/openssl | <0:1.0.1e-60.el6_10 | 0:1.0.1e-60.el6_10 |
redhat/openssl | <1:1.0.2k-25.el7_9 | 1:1.0.2k-25.el7_9 |
redhat/openssl | <1:1.0.1e-62.el7_3 | 1:1.0.1e-62.el7_3 |
redhat/openssl | <1:1.0.2k-10.el7_4 | 1:1.0.2k-10.el7_4 |
redhat/openssl | <1:1.0.2k-18.el7_6 | 1:1.0.2k-18.el7_6 |
redhat/openssl | <1:1.0.2k-21.el7_7 | 1:1.0.2k-21.el7_7 |
redhat/compat-openssl10 | <1:1.0.2o-4.el8_6 | 1:1.0.2o-4.el8_6 |
redhat/openssl | <1:1.1.1k-6.el8_5 | 1:1.1.1k-6.el8_5 |
redhat/openssl | <1:1.1.1c-5.el8_1.1 | 1:1.1.1c-5.el8_1.1 |
redhat/openssl | <1:1.1.1c-19.el8_2 | 1:1.1.1c-19.el8_2 |
redhat/openssl | <1:1.1.1g-16.el8_4 | 1:1.1.1g-16.el8_4 |
redhat/compat-openssl11 | <1:1.1.1k-4.el9_0 | 1:1.1.1k-4.el9_0 |
redhat/jws5-tomcat | <0:9.0.50-5.redhat_00007.1.el7 | 0:9.0.50-5.redhat_00007.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.30-4.redhat_4.el7 | 0:1.2.30-4.redhat_4.el7 |
redhat/jws5-tomcat | <0:9.0.50-5.redhat_00007.1.el8 | 0:9.0.50-5.redhat_00007.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.30-4.redhat_4.el8 | 0:1.2.30-4.redhat_4.el8 |
redhat/redhat-virtualization-host | <0:4.3.22-20220330.1.el7_9 | 0:4.3.22-20220330.1.el7_9 |
OpenSSL OpenSSL | >=1.0.2<1.0.2zd | |
OpenSSL OpenSSL | >=1.1.0<1.1.1n | |
OpenSSL OpenSSL | >=3.0.0<3.0.2 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Netapp Cloud Volumes Ontap Mediator | ||
NetApp Clustered Data ONTAP | ||
Netapp Clustered Data Ontap Antivirus Connector | ||
Netapp Santricity Smi-s Provider | ||
Netapp Storagegrid | ||
Netapp A250 Firmware | ||
Netapp A250 | ||
Netapp 500f Firmware | ||
Netapp 500f | ||
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =36 | |
Tenable Nessus | <8.15.4 | |
Tenable Nessus | >=10.0.0<10.1.2 | |
Mariadb Mariadb | >=10.2.0<10.2.42 | |
Mariadb Mariadb | >=10.3.0<10.3.33 | |
Mariadb Mariadb | >=10.4.0<10.4.23 | |
Mariadb Mariadb | >=10.5.0<10.5.14 | |
Mariadb Mariadb | >=10.6.0<10.6.6 | |
Mariadb Mariadb | >=10.7.0<10.7.2 | |
Nodejs Node.js | >=12.0.0<=12.12.0 | |
Nodejs Node.js | >=12.13.0<12.22.11 | |
Nodejs Node.js | >14.0.0<=14.14.0 | |
Nodejs Node.js | >=14.15.0<14.19.1 | |
Nodejs Node.js | >16.0.0<=16.12.0 | |
Nodejs Node.js | >=16.13.0<16.14.2 | |
Nodejs Node.js | >17.0.0<17.7.2 | |
Apple Catalina | ||
redhat/openssl | <1.0.2 | 1.0.2 |
redhat/openssl | <1.1.1 | 1.1.1 |
redhat/openssl | <3.0.2 | 3.0.2 |
All of | ||
Netapp A250 Firmware | ||
Netapp A250 | ||
All of | ||
Netapp 500f Firmware | ||
Netapp 500f | ||
rust/openssl-src | <111.18.0 | 111.18.0 |
rust/openssl-src | >=300.0.0<300.0.5 | 300.0.5 |
IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
Apple macOS Big Sur | <11.6.6 | 11.6.6 |
Apple macOS Monterey | <12.4 | 12.4 |
debian/openssl | 1.1.1w-0+deb11u1 1.1.1w-0+deb11u2 3.0.15-1~deb12u1 3.0.14-1~deb12u2 3.3.2-2 |
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
The vulnerability ID for this issue is CVE-2022-0778.
The severity of CVE-2022-0778 is high.
The vulnerability CVE-2022-0778 affects OpenSSL by causing the BN_mod_sqrt() function to loop forever for non-prime moduli.
The software versions affected by CVE-2022-0778 are OpenSSL 1.0.2 up to exclusive and OpenSSL 1.1.1 up to exclusive.
To fix the vulnerability CVE-2022-0778, update OpenSSL to a version that includes the fix.