Cryptographic Issues Affecting openssl-src package, versions >=300.0.0 <300.0.10
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUST-OPENSSLSRC-3043023
- published 12 Oct 2022
- disclosed 11 Oct 2022
- credit Unknown
Introduced: 11 Oct 2022
CVE-2022-3358 Open this link in a new tabHow to fix?
Upgrade openssl-src to version 300.0.10 or higher.
Overview
openssl-src is a crate that contains the logic to build OpenSSL and is intended to be consumed by the openssl-sys crate.
Affected versions of this package are vulnerable to Cryptographic Issues due to incorrect handling of legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions, when it incorrectly tries to fetch an equivalent cipher from the available providers.
Exploiting this vulnerability is possible when an application incorrectly passes NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialization function will match the NULL cipher as being equivalent and will fetch this from the available providers.
Notes:
1)Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.
2)Applications that only use SSL/TLS are not impacted by this issue.