CVE-2022-2068

Updated: 2024-11-23 03:42:23.201978

Description:

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x HIGH 10
CVSS Version 3.x CRITICAL 9.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 6 ELS openssl 1.0.1e 9.8 CRITICAL Released CLSA-2022:1657817606 2022-07-26 14:03:02
CentOS 7 ELS openssl 1.0.2k 9.8 CRITICAL Released CLSA-2024:1719925589 2024-07-16 05:53:00
CentOS 8.4 ELS openssl 1.1.1g 9.8 CRITICAL Released CLSA-2022:1657816793 2022-07-18 08:59:11
CentOS 8.5 ELS openssl 1.1.1k 9.8 CRITICAL Released CLSA-2022:1658171496 2022-07-18 16:26:31
CloudLinux 6 ELS openssl 1.0.1e 9.8 CRITICAL Released CLSA-2022:1658168138 2022-08-01 13:07:58
Oracle Linux 6 ELS openssl 1.0.1e 9.8 CRITICAL Released CLSA-2022:1657816312 2022-07-18 08:59:11
Ubuntu 16.04 ELS openssl 1.0.2g-1 9.8 CRITICAL Released CLSA-2022:1657814965 2022-07-18 08:59:12
Ubuntu 18.04 ELS openssl 1.1.1-1 9.8 CRITICAL Already Fixed 2023-10-27 09:32:56