=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2022/VULN462

_____________________________________________________________________

DATE                : 14/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenSSL versions 3 prior to 3.0.8.

=====================================================================
https://www.openssl.org/news/secadv/20221213.txt
_____________________________________________________________________

OpenSSL Security Advisory [13 December 2022]
============================================

X.509 Policy Constraints Double Locking (CVE-2022-3996)
=======================================================

Severity: Low

If an X.509 certificate contains a malformed policy constraint and
policy processing is enabled, then a write lock will be taken twice
recursively.  On some operating systems (most widely: Windows) this
results in a denial of service when the affected process hangs.
Policy processing being enabled on a publicly facing server is not
considered to be a common setup.

Policy processing is enabled by passing the `-policy'
argument to the command line utilities or by calling either
`X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()'
functions.

OpenSSL versions 3.0.0 to 3.0.7 are vulnerable to this issue.  However
due to the low severity of this issue we are not creating a new release
at this time.  The mitigation for this issue can be found in commit
7725e7bfe.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8 once it is released.

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

This issue was discovered on 7th November 2022 by Polar Bear.
The fix was developed by Dr Paul Dale.

We have no evidence of this issue being exploited as of the time of
release of this advisory (December 13th 2022).

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20221213.txt

Note: the online version of the advisory may be updated with additional 
details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================