Cryptographic Issues Affecting openssl-src package, versions >=300.0.0 <300.0.10


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.12% (47th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-OPENSSLSRC-3043023
  • published12 Oct 2022
  • disclosed11 Oct 2022
  • creditUnknown

Introduced: 11 Oct 2022

CVE-2022-3358  (opens in a new tab)
CWE-310  (opens in a new tab)

How to fix?

Upgrade openssl-src to version 300.0.10 or higher.

Overview

openssl-src is a crate that contains the logic to build OpenSSL and is intended to be consumed by the openssl-sys crate.

Affected versions of this package are vulnerable to Cryptographic Issues due to incorrect handling of legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions, when it incorrectly tries to fetch an equivalent cipher from the available providers. Exploiting this vulnerability is possible when an application incorrectly passes NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialization function will match the NULL cipher as being equivalent and will fetch this from the available providers.

Notes:

1)Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.

2)Applications that only use SSL/TLS are not impacted by this issue.

CVSS Scores

version 3.1