CVE-2022-1473

Published: 3 May 2022

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Priority

Status

Package	Release	Status
edk2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Not vulnerable
	impish	Not vulnerable
	jammy	Not vulnerable
	trusty	Does not exist
	upstream	Needs triage
	xenial	Ignored (end of standard support)
nodejs Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system openssl1.0)
	focal	Not vulnerable (uses system openssl1.1)
	impish	Not vulnerable (uses system openssl1.1)
	jammy	Not vulnerable (uses system openssl1.1)
	trusty	Not vulnerable (uses system openssl)
	upstream	Needs triage
	xenial	Not vulnerable (uses system openssl)
openssl Launchpad, Ubuntu, Debian	bionic	Not vulnerable (1.1.1-1ubuntu2.1~18.04.15)
	focal	Not vulnerable (1.1.1f-1ubuntu2.12)
	impish	Not vulnerable (1.1.1l-1ubuntu1.2)
	jammy	Released (3.0.2-0ubuntu1.1)
	trusty	Needs triage
	upstream	Released (3.0.3)
	xenial	Needs triage
openssl1.0 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	focal	Does not exist
	impish	Does not exist
	jammy	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist

Notes

Author	Note
mdeslaur	OpenSSL v3.x only

CVE-2022-1473

Low

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading