Intel® IPP Cryptography Advisory

Summary:

Potential security vulnerabilities in Intel® Integrated Performance Primitives (IPP) Cryptography software may allow information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-37409

Description: Insufficient control flow management for the Intel® IPP Cryptography software before version 2021.6 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2022-41646

Description: Insufficient control flow management in the Intel® IPP Cryptography software before version 2021.6 may allow an unauthenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 4.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVEID: CVE-2022-40974

Description: Incomplete cleanup in the Intel® IPP Cryptography software before version 2021.6 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 1.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Affected Products:

Intel® IPP Cryptography software before version 2021.6.

Recommendations:

Intel recommends updating the Intel® IPP Cryptography software to version 2021.6 or later.

Updates are available for download at this location:

<https://github.com/intel/ipp-crypto/releases&gt;

Acknowledgements:

The following issues were found internally by Intel employees. Intel would like to thank Kevin Jacobs, Viktoria Gvozdeva, Igor Fedyaev and Elena Tyuleneva.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.