Cryptographic Issues Affecting openssl-src package, versions >=300.0.0 <300.0.10
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-OPENSSLSRC-3043023
- published12 Oct 2022
- disclosed11 Oct 2022
- creditUnknown
Introduced: 11 Oct 2022
CVE-2022-3358 (opens in a new tab)How to fix?
Upgrade openssl-src to version 300.0.10 or higher.
Overview
openssl-src is a crate that contains the logic to build OpenSSL and is intended to be consumed by the openssl-sys crate.
Affected versions of this package are vulnerable to Cryptographic Issues due to incorrect handling of legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions, when it incorrectly tries to fetch an equivalent cipher from the available providers.
Exploiting this vulnerability is possible when an application incorrectly passes NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialization function will match the NULL cipher as being equivalent and will fetch this from the available providers.
Notes:
1)Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.
2)Applications that only use SSL/TLS are not impacted by this issue.