CVE-2022-37454
Published: 21 October 2022
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Notes
| Author | Note |
|---|---|
| sbeattie | PEAR issues should go against php-pear as of xenial |
| rodrigo-zaiden | PHP includes Keccak code for sha3 starting from php7.2 |
| leosilva | in PHP it was introduced in 91663a92d1697fc30a7ba4687d73e0f63ec2baa1 php-7.2.0alpha1 |
| mdeslaur | Python 3.11 switched to using tiny_sha3, so not affected. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
|
php7.0 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
php7.2 Launchpad, Ubuntu, Debian |
bionic |
Released
(7.2.24-0ubuntu0.18.04.15)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
|
php7.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(7.4.3-4ubuntu2.15)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
php8.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(8.1.2-1ubuntu2.8)
|
|
| kinetic |
Released
(8.1.7-1ubuntu3.1)
|
|
| lunar |
Released
(8.1.12-1ubuntu2)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.1.12-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd |
||
|
pypy3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| lunar |
Pending
(7.3.9+dfsg-5)
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Released
(7.3.9+dfsg-5)
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
Patches: upstream: https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31 |
||
|
pysha3 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| kinetic |
Needs triage
|
|
| lunar |
Does not exist
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(3.10.6-1~22.04.2)
|
|
| kinetic |
Released
(3.10.7-1ubuntu0.2)
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.10.9-1)
|
|
| xenial |
Does not exist
|
|
|
python3.11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| kinetic |
Not vulnerable
(code not present)
|
|
| lunar |
Not vulnerable
(code not present)
|
|
| trusty |
Does not exist
|
|
| upstream |
Not vulnerable
(code not present)
|
|
| xenial |
Does not exist
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.6.9-1~18.04ubuntu1.10)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.7.5-2ubuntu1~18.04.2+esm2)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.8.0-3ubuntu1~18.04.2+esm1)
|
| focal |
Released
(3.8.10-0ubuntu1~20.04.6)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(3.9.5-3ubuntu0~20.04.1+esm1)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
- https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a
- https://mouha.be/sha-3-buffer-overflow/
- https://github.com/python/cpython/issues/98517
- https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (3.10-branch)
- https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (3.9-branch)
- https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (3.8-branch)
- https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (3.7-branch)
- https://news.ycombinator.com/item?id=33281106
- https://csrc.nist.gov/projects/hash-functions/sha-3-project
- https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd
- https://ubuntu.com/security/notices/USN-5717-1
- https://ubuntu.com/security/notices/USN-5767-1
- https://ubuntu.com/security/notices/USN-5888-1
- https://ubuntu.com/security/notices/USN-5767-3
- https://ubuntu.com/security/notices/USN-5930-1
- https://ubuntu.com/security/notices/USN-5931-1
- NVD
- Launchpad
- Debian