CVE-2022-4450: Double free after calling PEM_read_bio_ex
First published: Wed Jan 25 2023(Updated: )
A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (for example, "CERTIFICATE"), any header data, and the payload data. If the function succeeds, then the "name_out," "header," and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. Constructing a PEM file that results in 0 bytes of payload data is possible. In this case, PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a freed buffer. A double-free will occur if the caller also frees this buffer. This will most likely lead to a crash. This could be exploited by an attacker who can supply malicious PEM files for parsing to achieve a denial of service attack.
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-openssl | <1:1.1.1k-14.el8 | 1:1.1.1k-14.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1k-14.el7 | 1:1.1.1k-14.el7 |
| redhat/edk2 | <0:20220126gitbb1bba3d77-4.el8 | 0:20220126gitbb1bba3d77-4.el8 |
| redhat/openssl | <1:1.1.1k-9.el8_7 | 1:1.1.1k-9.el8_7 |
| redhat/openssl | <1:1.1.1k-9.el8_6 | 1:1.1.1k-9.el8_6 |
| redhat/openssl | <1:3.0.1-47.el9_1 | 1:3.0.1-47.el9_1 |
| redhat/edk2 | <0:20221207gitfff6d81270b5-9.el9_2 | 0:20221207gitfff6d81270b5-9.el9_2 |
| redhat/openssl | <1:3.0.1-46.el9_0 | 1:3.0.1-46.el9_0 |
| redhat/jws5-tomcat-native | <0:1.2.31-14.redhat_14.el7 | 0:1.2.31-14.redhat_14.el7 |
| redhat/jws5-tomcat-native | <0:1.2.31-14.redhat_14.el8 | 0:1.2.31-14.redhat_14.el8 |
| redhat/jws5-tomcat-native | <0:1.2.31-14.redhat_14.el9 | 0:1.2.31-14.redhat_14.el9 |
| OpenSSL OpenSSL | >=1.1.1<1.1.1t | |
| OpenSSL OpenSSL | >=3.0.0<3.0.8 | |
| Stormshield Stormshield Network Security | >=4.0.0<4.3.16 | |
| Stormshield Stormshield Network Security | >=4.4.0<4.6.3 | |
| rust/openssl-src | >=300.0.0<300.0.12 | 300.0.12 |
| rust/openssl-src | <111.25.0 | 111.25.0 |
| IBM Cloud Pak for Business Automation | <=V22.0.2 - V22.0.2-IF004 | |
| IBM Cloud Pak for Business Automation | <=V21.0.3 - V21.0.3-IF020 | |
| IBM Cloud Pak for Business Automation | <=V22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes | |
| debian/openssl | 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.14-1~deb12u1 3.0.14-1~deb12u2 3.3.2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-4450 https://nvd.nist.gov/vuln/detail/CVE-2022-4450 https://www.openssl.org/news/secadv/20230207.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=2164494
- https://access.redhat.com/errata/RHSA-2023:3354
- https://access.redhat.com/errata/RHSA-2023:2932
- https://access.redhat.com/errata/RHSA-2023:1405
- https://access.redhat.com/errata/RHSA-2023:3408
- https://access.redhat.com/errata/RHSA-2023:0946
- https://access.redhat.com/errata/RHSA-2023:2165
- https://access.redhat.com/errata/RHSA-2023:1199
- https://access.redhat.com/errata/RHSA-2023:3355
- https://access.redhat.com/errata/RHSA-2023:3421
- https://access.redhat.com/errata/RHSA-2023:3420
- https://access.redhat.com/security/cve/cve-2022-4450
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
- https://www.openssl.org/news/secadv/20230207.txt
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167906
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167909
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167907
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167910
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167908
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167911
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167905
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167904
- https://security.gentoo.org/glsa/202402-08
- https://nvd.nist.gov/vuln/detail/CVE-2022-4450
- https://rustsec.org/advisories/RUSTSEC-2023-0010.html
- https://github.com/advisories/GHSA-v5w6-wcm8-jm4q (Advisory)
- https://launchpad.net/bugs/cve/CVE-2022-4450
- https://exchange.xforce.ibmcloud.com/vulnerabilities/246615
- https://www.ibm.com/support/pages/node/6998727 (Advisory)
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=63bcf189be73a9cc1264059bed6f57974be74a83
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=bbcf509bd046b34cca19c766bbddc31683d0858b
- https://security-tracker.debian.org/tracker/CVE-2022-4450
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450
- https://ubuntu.com/security/CVE-2022-4450
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-4450?
CVE-2022-4450 is a double-free vulnerability found in OpenSSL's PEM_read_bio_ex function.
What is the severity of CVE-2022-4450?
CVE-2022-4450 has a severity level of high (7).
Which software is affected by CVE-2022-4450?
OpenSSL versions from 1.1.1 to 1.1.1t, OpenSSL versions from 3.0.0 to 3.0.8, Stormshield Network Security versions from 4.0.0 to 4.3.16, and Stormshield Network Security versions from 4.4.0 to 4.6.3 are affected.
How does CVE-2022-4450 impact OpenSSL?
CVE-2022-4450 allows an attacker to trigger a double-free vulnerability in OpenSSL's PEM_read_bio_ex function, potentially leading to arbitrary code execution.
Are there any references for CVE-2022-4450?
Yes, you can find references for CVE-2022-4450 at the following links: [1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167906), [2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167909), [3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2167907).
- collector/redhat-cve
- collector/nvd-index
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-4450
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/title
- agent/weakness
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v5w6-wcm8-jm4q
- collector/github-advisory
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.1.1
- version/openssl openssl/3.0.0
- vendor/stormshield
- canonical/stormshield stormshield network security
- version/stormshield stormshield network security/4.0.0
- version/stormshield stormshield network security/4.4.0
- package-manager/rust
- package-manager/debian
- vendor/ibm
- canonical/ibm cloud pak for business automation
- version/ibm cloud pak for business automation/v22.0.2 - v22.0.2-if004
- version/ibm cloud pak for business automation/v21.0.3 - v21.0.3-if020
- version/ibm cloud pak for business automation/v22.0.1 - v22.0.1-if006 and later fixesv21.0.2 - v21.0.2-if012 and later fixesv21.0.1 - v21.0.1-if007 and later fixesv20.0.1 - v20.0.3 and later fixesv19.0.1 - v19.0.3 and later fixesv18.0.0 - v18.0.2 and later fixes