openssl openssl CVE-2022-2068 vulnerability in OpenSSL and Other Products
Published on June 21, 2022

The c_rehash script allows command injection

product logo product logo product logo product logo product logo product logo product logo product logo
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-2068 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2022-2068 has been classified to as a Shell injection vulnerability or weakness.


Products Associated with CVE-2022-2068

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-2068 are published in these products:

OpenSSL
 
Debian Linux
 
Fedora Project Fedora
 
Siemens Sinec Ins
 
NetApp Santricity Smi S Provider
 
NetApp Element Software
 
NetApp Ontap Select Deploy Administration Utility
 
NetApp Smi S Provider
 
NetApp Solidfire
 
NetApp Hci Management Node
 
NetApp Snapmanager
 
NetApp Ontap Antivirus Connector
 
Broadcom Sannav
 
Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

OpenSSL:

Exploit Probability

EPSS
20.22%
Percentile
95.38%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.