Download page ISN 2022-06: OpenSSL Denial of Service.
ISN 2022-06: OpenSSL Denial of Service
First published 21st March 2022
CVSS 3.1 Base Score: 7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability has been found in the OpenSSL cryptography library. This affects the following IGEL products:
IGEL OS 11
IGEL OS 10
Details
It has been discovered that OpenSSL can run into an infinite loop when parsing a TLS certificate or key that has invalid explicit elliptic curve parameters (CVE-2022-0778). An attacker could use a crafted and self-signed certificate to cause a denial of service in OpenSSL and consequently in applications that use OpenSSL.
Mitigation
The attack relies on a TLS server certificate crafted by an attacker. Until the security fix is available, only connect to servers under control of your own organization or a trusted party.
Update Instructions
IGEL OS 11: Update to IGEL OS 11.07.100 (to be released on March 29th)
IGEL OS 10: Upgrade to IGEL OS 11.07.100 (to be released on March 29th)