Vulnerability Description
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | >= 1.1.1, < 1.1.1q |
| Fedoraproject | Fedora | 35 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Clustered Data Ontap Antivirus Connector | - |
| Netapp | H300S Firmware | - |
| Netapp | H500S Firmware | - |
| Netapp | H500S | - |
| Netapp | H700S Firmware | - |
| Netapp | H700S | - |
| Netapp | H410S Firmware | - |
| Netapp | H410S | - |
| Netapp | H410C Firmware | - |
| Netapp | H410C | - |
| Siemens | Sinec Ins | < 1.0 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f4
- https://lists.debian.org/debian-lts-announce/2023/02/msg00019.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202210-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220715-0011/Third Party Advisory
- https://security.netapp.com/advisory/ntap-20230420-0008/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.debian.org/security/2023/dsa-5343Third Party Advisory
- https://www.openssl.org/news/secadv/20220705.txtVendor Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdfThird Party Advisory
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cf
FAQ
What is CVE-2022-2097?
CVE-2022-2097 is a vulnerability with a CVSS score of 5.3 (MEDIUM). AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data tha...
How severe is CVE-2022-2097?
CVE-2022-2097 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-2097?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Clustered Data Ontap Antivirus Connector, Netapp H300S Firmware.