CVE Vulnerabilities

CVE-2022-4304

Observable Discrepancy

Published: Feb 08, 2023 | Modified: Feb 04, 2024
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
5.9 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Weakness

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 1.0.2 (including) 1.0.2zg (excluding)
Openssl Openssl 1.1.1 (including) 1.1.1t (excluding)
Openssl Openssl 3.0.0 (including) 3.0.8 (excluding)
JBCS httpd 2.4.51.sp2 RedHat openssl *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1k-14.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.1.1k-14.el7jbcs *
Red Hat Enterprise Linux 8 RedHat edk2-0:20220126gitbb1bba3d77-4.el8 *
Red Hat Enterprise Linux 8 RedHat openssl-1:1.1.1k-9.el8_7 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat edk2-0:20220126gitbb1bba3d77-2.el8_6.1 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat openssl-1:1.1.1k-9.el8_6 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-47.el9_1 *
Red Hat Enterprise Linux 9 RedHat edk2-0:20221207gitfff6d81270b5-9.el9_2 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-47.el9_1 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat openssl-1:3.0.1-46.el9_0 *
Red Hat JBoss Web Server 5 RedHat openssl *
Red Hat JBoss Web Server 5.7 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el7jws *
Red Hat JBoss Web Server 5.7 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el8jws *
Red Hat JBoss Web Server 5.7 on RHEL 9 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el9jws *
Edk2 Ubuntu bionic *
Edk2 Ubuntu kinetic *
Edk2 Ubuntu lunar *
Edk2 Ubuntu trusty *
Edk2 Ubuntu xenial *
Nodejs Ubuntu jammy *
Nodejs Ubuntu trusty *
Openssl Ubuntu bionic *
Openssl Ubuntu devel *
Openssl Ubuntu esm-infra-legacy/trusty *
Openssl Ubuntu esm-infra/xenial *
Openssl Ubuntu fips-preview/jammy *
Openssl Ubuntu fips-updates/bionic *
Openssl Ubuntu fips-updates/focal *
Openssl Ubuntu fips-updates/jammy *
Openssl Ubuntu fips-updates/xenial *
Openssl Ubuntu fips/bionic *
Openssl Ubuntu fips/focal *
Openssl Ubuntu fips/xenial *
Openssl Ubuntu focal *
Openssl Ubuntu jammy *
Openssl Ubuntu kinetic *
Openssl Ubuntu lunar *
Openssl Ubuntu mantic *
Openssl Ubuntu noble *
Openssl Ubuntu oracular *
Openssl Ubuntu trusty *
Openssl Ubuntu trusty/esm *
Openssl Ubuntu upstream *
Openssl Ubuntu xenial *
Openssl1.0 Ubuntu bionic *
Openssl1.0 Ubuntu esm-infra/bionic *

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.

References