Issued:
2022-08-30
Updated:
2022-08-30

RHSA-2022:6224 - Moderate: openssl security and bug fix update

Synopsis

Moderate: openssl security and bug fix update

Type/Severity

Security Advisory Moderate

Topic

An update for openssl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Security Fix(es):

  • openssl: c_rehash script allows command injection (CVE-2022-1292)

  • openssl: Signer certificate verification returns inaccurate response when using OCSP_NOCHECKS (CVE-2022-1343)

  • openssl: OPENSSL_LH_flush() breaks reuse of memory (CVE-2022-1473)

  • openssl: the c_rehash script allows command injection (CVE-2022-2068)

  • openssl: AES OCB fails to encrypt some bytes (CVE-2022-2097)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • openssl occasionally sends internal error to gnutls when using FFDHE (BZ#2080323)

  • openssl req defaults to 3DES (BZ#2085499)

  • OpenSSL accepts custom elliptic curve parameters when p is large [rhel-9] (BZ#2085508)

  • OpenSSL mustn't work with ECDSA with explicit curve parameters in FIPS mode (BZ#2085521)

  • openssl s_server -groups secp256k1 in FIPS fails because X25519/X448 (BZ#2086554)

  • Converting FIPS power-on self test to KAT (BZ#2086866)

  • Small RSA keys work for some operations in FIPS mode (BZ#2091938)

  • FIPS provider doesn't block RSA encryption for key transport (BZ#2091977)

  • OpenSSL testsuite certificates expired (BZ#2095696)

  • [IBM 9.1 HW OPT] POWER10 performance enhancements for cryptography: OpenSSL (BZ#2103044)

  • [FIPS lab review] self-test (BZ#2112978)

  • [FIPS lab review] DH tuning (BZ#2115856)

  • [FIPS lab review] EC tuning (BZ#2115857)

  • [FIPS lab review] RSA tuning (BZ#2115858)

  • [FIPS lab review] RAND tuning (BZ#2115859)

  • [FIPS lab review] zeroization (BZ#2115861)

  • [FIPS lab review] HKDF limitations (BZ#2118388)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for x86_649x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions9.6x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions9.4x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions9.2x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions9.0x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support9.6x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support9.4x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support9.2x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support9.0x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle9.6x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle9.4x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle9.2x86_64
Red Hat Enterprise Linux for Power, little endian9ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support9.6ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support9.4ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support9.2ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support9.0ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle9.6ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle9.4ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle9.2ppc64le
Red Hat Enterprise Linux for IBM z Systems9s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support9.6s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support9.4s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support9.2s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support9.0s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle9.6s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle9.4s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle9.2s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates9.6s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates9.4s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates9.2s390x
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates9.0s390x
Red Hat Enterprise Linux for ARM 649aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support9.6aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support9.4aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support9.2aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support9.0aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle9.6aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle9.4aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle9.2aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates9.6aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates9.4aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates9.2aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates9.0aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions9.6ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions9.4ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions9.2ppc64le
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions9.0ppc64le
Red Hat Enterprise Linux Server - AUS9.6x86_64
Red Hat Enterprise Linux Server - AUS9.4x86_64
Red Hat Enterprise Linux Server - AUS9.2x86_64

Updated Packages

  • openssl-libs-3.0.1-41.el9_0.s390x.rpm
  • openssl-3.0.1-41.el9_0.src.rpm
  • openssl-debuginfo-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-libs-debuginfo-3.0.1-41.el9_0.i686.rpm
  • openssl-devel-3.0.1-41.el9_0.i686.rpm
  • openssl-libs-3.0.1-41.el9_0.i686.rpm
  • openssl-perl-3.0.1-41.el9_0.s390x.rpm
  • openssl-3.0.1-41.el9_0.s390x.rpm
  • openssl-debugsource-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-libs-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-debugsource-3.0.1-41.el9_0.s390x.rpm
  • openssl-debugsource-3.0.1-41.el9_0.i686.rpm
  • openssl-devel-3.0.1-41.el9_0.x86_64.rpm
  • openssl-libs-debuginfo-3.0.1-41.el9_0.s390x.rpm
  • openssl-debuginfo-3.0.1-41.el9_0.aarch64.rpm
  • openssl-3.0.1-41.el9_0.aarch64.rpm
  • openssl-debugsource-3.0.1-41.el9_0.aarch64.rpm
  • openssl-libs-debuginfo-3.0.1-41.el9_0.x86_64.rpm
  • openssl-libs-3.0.1-41.el9_0.x86_64.rpm
  • openssl-debuginfo-3.0.1-41.el9_0.s390x.rpm
  • openssl-perl-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-3.0.1-41.el9_0.x86_64.rpm
  • openssl-devel-3.0.1-41.el9_0.s390x.rpm
  • openssl-perl-3.0.1-41.el9_0.aarch64.rpm
  • openssl-libs-debuginfo-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-perl-3.0.1-41.el9_0.x86_64.rpm
  • openssl-debuginfo-3.0.1-41.el9_0.i686.rpm
  • openssl-devel-3.0.1-41.el9_0.ppc64le.rpm
  • openssl-debugsource-3.0.1-41.el9_0.x86_64.rpm
  • openssl-devel-3.0.1-41.el9_0.aarch64.rpm
  • openssl-libs-3.0.1-41.el9_0.aarch64.rpm
  • openssl-debuginfo-3.0.1-41.el9_0.x86_64.rpm
  • openssl-libs-debuginfo-3.0.1-41.el9_0.aarch64.rpm

Fixes

CVEs

References

Additional information