Cryptographic Issues Affecting openssl-src package, versions >=300.0.0 <300.0.10


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.11% (46th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cryptographic Issues vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-OPENSSLSRC-3043023
  • published12 Oct 2022
  • disclosed11 Oct 2022
  • creditUnknown

Introduced: 11 Oct 2022

CVE-2022-3358  (opens in a new tab)
CWE-310  (opens in a new tab)

How to fix?

Upgrade openssl-src to version 300.0.10 or higher.

Overview

openssl-src is a crate that contains the logic to build OpenSSL and is intended to be consumed by the openssl-sys crate.

Affected versions of this package are vulnerable to Cryptographic Issues due to incorrect handling of legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions, when it incorrectly tries to fetch an equivalent cipher from the available providers. Exploiting this vulnerability is possible when an application incorrectly passes NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialization function will match the NULL cipher as being equivalent and will fetch this from the available providers.

Notes:

1)Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.

2)Applications that only use SSL/TLS are not impacted by this issue.

CVSS Scores

version 3.1