CVE-2022-2097 vulnerability in OpenSSL and Other Products
Published on July 5, 2022
AES OCB fails to encrypt some bytes
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
Products Associated with CVE-2022-2097
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-2097 are published in these products:
Affected Versions
OpenSSL:- Version Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4) is affected.
- Version Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p) is affected.
- Version 1.1.1 and below 1.1.1q is affected.
- Version 3.0.0 and below 3.0.5 is affected.
- Version 0 is affected.
- Version 0 is affected.
- Version 35 is affected.
- Version 36 is affected.
- Version 0 is affected.
- Version h300s is affected.
- Version h410c is affected.
- Version h410s is affected.
- Version h500s is affected.
- Version h700s is affected.
- Version 0 is affected.
- Version 0 is affected.
- Version 0 is affected.
- Version 0 is affected.
- Before 1.0_sp2_update_1 is affected.
- Version 10.0 is affected.
- Version 11.0 is affected.
Exploit Probability
EPSS
0.41%
Percentile
60.66%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.