Lucene search

[email protected]CVE-2022-2097

HistoryJul 05, 2022 - 11:15 a.m.

CVE-2022-2097

2022-07-0511:15:08

CWE-327

[email protected]

web.nvd.nist.gov

325

cve-2022-2097

aes ocb

32-bit x86

openssl

security vulnerability

encryption

data privacy

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.4%

JSON

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Affected configurations

NVD

Node

opensslopensslRange1.1.1–1.1.1q

opensslopensslRange3.0.0–3.0.5

Node

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

Node

netappactive_iq_unified_managerMatch-vmware_vsphere

netappclustered_data_ontap_antivirus_connectorMatch-

Node

netapph300s_firmwareMatch-

AND

netapph300s_firmwareMatch-

Node

netapph500s_firmwareMatch-

AND

netapph500sMatch-

Node

netapph700sMatch-

AND

netapph700s_firmwareMatch-

Node

netapph410sMatch-

AND

netapph410s_firmwareMatch-

Node

netapph410cMatch-

AND

netapph410c_firmwareMatch-

Node

siemenssinec_insRange<1.0

siemenssinec_insMatch1.0-

siemenssinec_insMatch1.0sp1

siemenssinec_insMatch1.0sp2

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

CPENameOperatorVersion
openssl:opensslopenssllt1.1.1q
openssl:opensslopenssllt3.0.5

CPE	Name	Operator	Version
openssl:openssl	openssl	lt	1.1.1q
openssl:openssl	openssl	lt	3.0.5

CNA Affected

[
  {
    "vendor": "OpenSSL",
    "product": "OpenSSL",
    "versions": [
      {
        "version": "Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4)",
        "status": "affected"
      },
      {
        "version": "Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p)",
        "status": "affected"
      }
    ]
  }
]