Vulnerability Description
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | >= 3.0.0, < 3.0.3 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Clustered Data Ontap | - |
| Netapp | Clustered Data Ontap Antivirus Connector | - |
| Netapp | Santricity Smi-S Provider | - |
| Netapp | Smi-S Provider | - |
| Netapp | Snapmanager | - |
| Netapp | Solidfire\, Enterprise Sds \& Hci Storage Node | - |
| Netapp | Solidfire \& Hci Management Node | - |
| Netapp | A250 Firmware | - |
| Netapp | A250 | - |
| Netapp | A700S Firmware | - |
| Netapp | A700S | - |
| Netapp | Aff 500F Firmware | - |
| Netapp | Aff 500F | - |
| Netapp | Aff 8300 Firmware | - |
| Netapp | Aff 8300 | - |
| Netapp | Aff 8700 Firmware | - |
| Netapp | Aff 8700 | - |
| Netapp | Aff A400 Firmware | - |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2eda98790c5c274
- https://security.netapp.com/advisory/ntap-20220602-0009/Third Party Advisory
- https://www.openssl.org/news/secadv/20220503.txtVendor Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2eda98790c5c274
- https://security.netapp.com/advisory/ntap-20220602-0009/Third Party Advisory
- https://www.openssl.org/news/secadv/20220503.txtVendor Advisory
FAQ
What is CVE-2022-1343?
CVE-2022-1343 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a succe...
How severe is CVE-2022-1343?
CVE-2022-1343 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1343?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap, Netapp Clustered Data Ontap Antivirus Connector, Netapp Santricity Smi-S Provider.