Sign In

CVE-2022-0778

SOURCE - github

Summary

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

EPSS Score: 0.01342 (0.862)

Common Weakness Enumeration (CWE)

SOURCE - nist

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

SOURCE - github

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

SOURCE - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

SOURCE - redhat

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

Sources (43)

Impacted images

Alpine

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE
PackageTypeOS NameOS VersionAffected RangesFix Versions
alpine/libresslapkalpine3.18<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.15<3.4.3-r03.4.3-r0
alpine/libresslapkalpineedge<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.19<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.21<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.14<3.3.6-r03.3.6-r0
alpine/libresslapkalpine3.20<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.17<3.4.3-r03.4.3-r0
alpine/libresslapkalpine3.16<3.4.3-r03.4.3-r0
alpine/libretlsapkalpine3.17<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.18<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.16<3.5.1-r03.5.1-r0
alpine/libretlsapkalpineedge<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.20<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.14<3.3.3p1-r33.3.3p1-r3
alpine/libretlsapkalpine3.21<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.19<3.5.1-r03.5.1-r0
alpine/libretlsapkalpine3.15<3.3.4-r33.3.4-r3
alpine/lighthouseapkalpine3.19<2.2.0-r02.2.0-r0
alpine/lighthouseapkalpineedge<2.2.0-r02.2.0-r0
alpine/lighthouseapkalpine3.21<2.2.0-r02.2.0-r0
alpine/lighthouseapkalpine3.20<2.2.0-r02.2.0-r0
alpine/openjdk11apkalpine3.15<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.21<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.17<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.18<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.20<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.16<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpine3.19<11.0.15_p10-r011.0.15_p10-r0
alpine/openjdk11apkalpineedge<11.0.15_p10-r011.0.15_p10-r0
alpine/opensslapkalpine3.16<1.1.1n-r01.1.1n-r0
alpine/opensslapkalpine3.15<1.1.1n-r01.1.1n-r0
alpine/opensslapkalpine3.14<1.1.1n-r01.1.1n-r0
alpine/opensslapkalpineedge<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.20<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.21<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.19<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.18<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.13<1.1.1n-r01.1.1n-r0
alpine/opensslapkalpine3.17<3.0.2-r03.0.2-r0
alpine/opensslapkalpine3.12<1.1.1n-r01.1.1n-r0
alpine/openssl1.1-compatapkalpine3.18<1.1.1n-r01.1.1n-r0
alpine/openssl1.1-compatapkalpine3.17<1.1.1n-r01.1.1n-r0
alpine/openssl3apkalpine3.16<3.0.2-r03.0.2-r0
alpine/openssl3apkalpine3.15<3.0.2-r03.0.2-r0

Severity and metrics

No CVSS data available from this source.

NIST

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-835

CVSS SCORE

7.5high

GitHub

CREATED

UPDATED

SOURCE IDGHSA-x3mh-jvjw-3xwx
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-835

CVSS SCORE

7.5high

Debian

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Ubuntu

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5high

RustSec

CREATED

UPDATED

SOURCE IDRUSTSEC-2022-0014
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

GitLab

CREATED

UPDATED

SOURCE ID

CVE-2022-0778

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-835CWE-937

CVSS SCORE

7.5high

Alma

CREATED

UPDATED

SOURCE IDALSA-2022:1065
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Alma

CREATED

UPDATED

SOURCE IDALSA-2022:5326
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Amazon

CREATED

UPDATED

SOURCE IDALAS-2022-1575
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2023-2023-051
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2023-2023-037
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-041
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-195
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Amazon

CREATED

UPDATED

SOURCE IDALAS2022-2022-182
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2-2022-1766
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Amazon

CREATED

UPDATED

SOURCE IDALAS2-2024-2502
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Bitnami

CREATED

UPDATED

SOURCE ID

BIT-2022-0778

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Bitnami

CREATED

UPDATED

SOURCE ID

BIT-node-2022-0778

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Bitnami

CREATED

UPDATED

SOURCE ID

BIT-mysql-client-2022-0778

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Bitnami

CREATED

UPDATED

SOURCE ID

BIT-mariadb-2022-0778

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Red Hat

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-835

CVSS SCORE

7.5high

Rocky

CREATED

UPDATED

SOURCE IDRLSA-2022:5326
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Rocky

CREATED

UPDATED

SOURCE IDRLSA-2022:4899
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Rocky

CREATED

UPDATED

SOURCE IDRLSA-2022:1065
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

SUSE

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5high

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9237
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9246
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9258
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-5326
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9243
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-1066
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9255
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-1065
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-4899
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9249
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9224
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9233
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9225
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Oracle

CREATED

UPDATED

SOURCE IDELSA-2022-9272
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Chainguard

CREATED

UPDATED

SOURCE ID

CGA-388r-r649-wqc9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

Wolfi

CREATED

UPDATED

SOURCE ID

CGA-388r-r649-wqc9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE

intheWild

CREATED

UPDATED

SOURCE IDCVE-2022-0778
EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM SOURCE