Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2022-1343

Disclosure Date: May 03, 2022
CVE-2022-1343 CVSS v3 Base Score: 5.3
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL “ocsp” application. When verifying an ocsp response with the “-no_cert_checks” option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.3 Medium
Impact Score:
1.4
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
Low
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
OpenSSL Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • netapp,
  • openssl

Products

  • a250 firmware -,
  • a700s firmware -,
  • active iq unified manager -,
  • aff 500f firmware -,
  • aff 8300 firmware -,
  • aff 8700 firmware -,
  • aff a400 firmware -,
  • clustered data ontap -,
  • clustered data ontap antivirus connector -,
  • fabric-attached storage a400 firmware -,
  • fas 500f firmware -,
  • fas 8300 firmware -,
  • fas 8700 firmware -,
  • h300e firmware -,
  • h300s firmware -,
  • h410s firmware -,
  • h500e firmware -,
  • h500s firmware -,
  • h700e firmware -,
  • h700s firmware -,
  • openssl,
  • santricity smi-s provider -,
  • smi-s provider -,
  • snapmanager -,
  • solidfire & hci management node -,
  • solidfire, enterprise sds & hci storage node -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis