{
  "threat_severity" : "Moderate",
  "public_date" : "2022-07-05T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: AES OCB fails to encrypt some bytes",
    "id" : "2104905",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2104905"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-325",
  "details" : [ "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).", "AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed." ],
  "statement" : "Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 ship OpenSSL 1.0 which does not contain the incorrect assembly code (introduced upstream with commit bd30091). Similarly, the versions of `shim` as shipped with Red Hat Enterprise Linux 8 and 9 are not affected by this issue as they bundle openssl-1.0.2j.",
  "acknowledgement" : "Upstream acknowledges Alex Chernyakhovsky (Google) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-08-03T00:00:00Z",
    "advisory" : "RHSA-2022:5818",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssl-1:1.1.1k-7.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-08-30T00:00:00Z",
    "advisory" : "RHSA-2022:6224",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.1-41.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-08-30T00:00:00Z",
    "advisory" : "RHSA-2022:6224",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.1-41.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "openssl098e",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "openssl098e",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "ovmf",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "compat-openssl10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "edk2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "compat-openssl11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "edk2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2097\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2097\nhttps://www.openssl.org/news/secadv/20220705.txt" ],
  "name" : "CVE-2022-2097",
  "csaw" : false
}