CVE-2022-1473

EPSS 0.28%
Published 03.05.2022 16:15:18
Last modified 05.05.2025 17:17:34
Source openssl-security@openssl.org
Teams watchlist Login
Open Login

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Affected products Warnungen 0 Metrics 4 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 3.0.0 < 3.0.3

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvsphere

Netapp ≫ Clustered Data Ontap Version-

Netapp ≫ Clustered Data Ontap Antivirus Connector Version-

Netapp ≫ Santricity Smi-s Provider Version-

Netapp ≫ Smi-s Provider Version-

Netapp ≫ Snapmanager Version- SwPlatformhyper-v

Netapp ≫ A700s Firmware Version-

Netapp ≫ A700s Version-

Netapp ≫ H300s Firmware Version-

Netapp ≫ H300s Version-

Netapp ≫ H500s Firmware Version-

Netapp ≫ H500s Version-

Netapp ≫ H700s Firmware Version-

Netapp ≫ H700s Version-

Netapp ≫ H300e Firmware Version-

Netapp ≫ H300e Version-

Netapp ≫ H500e Firmware Version-

Netapp ≫ H500e Version-

Netapp ≫ H700e Firmware Version-

Netapp ≫ H700e Version-

Netapp ≫ H410s Firmware Version-

Netapp ≫ H410s Version-

Netapp ≫ Aff 8300 Firmware Version-

Netapp ≫ Aff 8300 Version-

Netapp ≫ Fas 8300 Firmware Version-

Netapp ≫ Fas 8300 Version-

Netapp ≫ Aff 8700 Firmware Version-

Netapp ≫ Aff 8700 Version-

Netapp ≫ Fas 8700 Firmware Version-

Netapp ≫ Fas 8700 Version-

Netapp ≫ Aff A400 Firmware Version-

Netapp ≫ Aff A400 Version-

Netapp ≫ Fabric-attached Storage A400 Firmware Version-

Netapp ≫ Fabric-attached Storage A400 Version-

Netapp ≫ A250 Firmware Version-

Netapp ≫ A250 Version-

Netapp ≫ Aff 500f Firmware Version-

Netapp ≫ Aff 500f Version-

Netapp ≫ Fas 500f Firmware Version-

Netapp ≫ Fas 500f Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.517

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-459 Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

https://security.gentoo.org/glsa/202210-02

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf

https://security.netapp.com/advisory/ntap-20220602-0009/

Third Party Advisory

https://www.openssl.org/news/secadv/20220503.txt

Vendor Advisory

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=64c85430f95200b6b51fe9475bd5203f7c19daf1

https://nvd.nist.gov/vuln/detail/CVE-2022-1473

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1473

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1473

EUVD