CVE-2022-29242 — MEDIUM (5.9)

Q: How severe is CVE-2022-29242?

CVE-2022-29242 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-29242?

Check the references section above for vendor advisories and patch information. Affected products include: Gost Engine Project Gost Engine.

Vulnerability Description

GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is agreed and the server uses 512 bit GOST secret keys are vulnerable to buffer overflow. GOST engine version 3.0.1 contains a patch for this issue. Disabling ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is a possible workaround.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gost Engine Project	Gost Engine	< 3.0.1

Related Weaknesses (CWE)

CWE-120

References

https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e1754PatchThird Party Advisory
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85PatchThird Party Advisory
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81bPatchThird Party Advisory
https://github.com/gost-engine/engine/releases/tag/v3.0.1Release NotesThird Party Advisory
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5Third Party Advisory
https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e1754PatchThird Party Advisory
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85PatchThird Party Advisory
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81bPatchThird Party Advisory
https://github.com/gost-engine/engine/releases/tag/v3.0.1Release NotesThird Party Advisory
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5Third Party Advisory

FAQ

What is CVE-2022-29242?

CVE-2022-29242 is a vulnerability with a CVSS score of 5.9 (MEDIUM). GOST engine is a reference implementation of the Russian GOST crypto algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is agreed and...

How severe is CVE-2022-29242?

CVE-2022-29242 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-29242?

Check the references section above for vendor advisories and patch information. Affected products include: Gost Engine Project Gost Engine.