CVE-2022-23408
First published: Tue Jan 18 2022(Updated: )
wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Wolfssl Wolfssl | >=5.0.0<5.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-23408?
CVE-2022-23408 is a vulnerability in wolfSSL 5.x before 5.1.1 that uses non-random IV values in certain situations, affecting connections using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2.
How severe is CVE-2022-23408?
CVE-2022-23408 has a severity rating of 9.1 (critical).
What software versions are affected by CVE-2022-23408?
wolfSSL versions 5.0.0 to 5.1.1 are affected by CVE-2022-23408.
How can this vulnerability be exploited?
The vulnerability can be exploited by an attacker in certain situations where non-random IV values are used, affecting connections using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2.
Is there a fix available for CVE-2022-23408?
Yes, the fix for CVE-2022-23408 is included in wolfSSL version 5.1.1.
- collector/nvd-index
- vendor/wolfssl
- canonical/wolfssl wolfssl
- version/wolfssl wolfssl/5.0.0