ProxySG 6.7.5.17 not vulnerable against CVE-2022-0778

book

Article ID: 240801

calendar_today

Updated On:

Products

SG-S400

Issue/Introduction

The OpenSSL team announced that CVE-2022-0778, which is a denial of service vulnerability (infinite CPU loop) in BN_mod_sqrt(), which can be reached when parsing an SSL certificate.

Cause

All SSL clients, SSL servers accepting client certificates, and all applications parsing user-provided X.509 certificates are affected.

Environment

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.
It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1).
Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m).
Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Resolution

SGOS 6.7.5.17 has got a fix addressed for OpenSSL High Severity Security Patch for 1.0.2zd, 1.1.1n and 3.0.2

Internal BUG SG-30816