Vulnerability Details CVE-2022-1292
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.384
EPSS Ranking 97.1%
CVSS Severity
CVSS v3 Score 7.3
CVSS v2 Score 10.0
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
- https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
- https://security.gentoo.org/glsa/202210-02
- https://security.netapp.com/advisory/ntap-20220602-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5139
- https://www.openssl.org/news/secadv/20220503.txt
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
- https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis
- https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
- https://security.gentoo.org/glsa/202210-02
- https://security.netapp.com/advisory/ntap-20220602-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5139
- https://www.openssl.org/news/secadv/20220503.txt
- https://www.oracle.com/security-alerts/cpujul2022.html
Products affected by CVE-2022-1292
-
_enterprise_sds_&_hci_storage_node:-
-
cpe:2.3:a:netapp:active_iq_unified_manager:-
-
cpe:2.3:a:netapp:clustered_data_ontap:-
-
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-
-
cpe:2.3:a:netapp:oncommand_insight:-
-
cpe:2.3:a:netapp:oncommand_workflow_automation:-
-
cpe:2.3:a:netapp:santricity_smi-s_provider:-
-
cpe:2.3:a:netapp:smi-s_provider:-
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:netapp:solidfire
-
cpe:2.3:a:netapp:solidfire_&_hci_management_node:-
-
cpe:2.3:a:openssl:openssl:1.0.2
-
cpe:2.3:a:openssl:openssl:1.0.2a
-
cpe:2.3:a:openssl:openssl:1.0.2b
-
cpe:2.3:a:openssl:openssl:1.0.2c
-
cpe:2.3:a:openssl:openssl:1.0.2d
-
cpe:2.3:a:openssl:openssl:1.0.2e
-
cpe:2.3:a:openssl:openssl:1.0.2f
-
cpe:2.3:a:openssl:openssl:1.0.2g
-
cpe:2.3:a:openssl:openssl:1.0.2h
-
cpe:2.3:a:openssl:openssl:1.0.2i
-
cpe:2.3:a:openssl:openssl:1.0.2j
-
cpe:2.3:a:openssl:openssl:1.0.2k
-
cpe:2.3:a:openssl:openssl:1.0.2l
-
cpe:2.3:a:openssl:openssl:1.0.2m
-
cpe:2.3:a:openssl:openssl:1.0.2n
-
cpe:2.3:a:openssl:openssl:1.0.2o
-
cpe:2.3:a:openssl:openssl:1.0.2p
-
cpe:2.3:a:openssl:openssl:1.0.2q
-
cpe:2.3:a:openssl:openssl:1.0.2r
-
cpe:2.3:a:openssl:openssl:1.0.2s
-
cpe:2.3:a:openssl:openssl:1.0.2t
-
cpe:2.3:a:openssl:openssl:1.0.2u
-
cpe:2.3:a:openssl:openssl:1.0.2v
-
cpe:2.3:a:openssl:openssl:1.0.2w
-
cpe:2.3:a:openssl:openssl:1.0.2x
-
cpe:2.3:a:openssl:openssl:1.0.2y
-
cpe:2.3:a:openssl:openssl:1.0.2za
-
cpe:2.3:a:openssl:openssl:1.0.2zb
-
cpe:2.3:a:openssl:openssl:1.0.2zc
-
cpe:2.3:a:openssl:openssl:1.0.2zd
-
cpe:2.3:a:openssl:openssl:1.1.1
-
cpe:2.3:a:openssl:openssl:1.1.1a
-
cpe:2.3:a:openssl:openssl:1.1.1b
-
cpe:2.3:a:openssl:openssl:1.1.1c
-
cpe:2.3:a:openssl:openssl:1.1.1d
-
cpe:2.3:a:openssl:openssl:1.1.1e
-
cpe:2.3:a:openssl:openssl:1.1.1f
-
cpe:2.3:a:openssl:openssl:1.1.1g
-
cpe:2.3:a:openssl:openssl:1.1.1h
-
cpe:2.3:a:openssl:openssl:1.1.1i
-
cpe:2.3:a:openssl:openssl:1.1.1j
-
cpe:2.3:a:openssl:openssl:1.1.1k
-
cpe:2.3:a:openssl:openssl:1.1.1l
-
cpe:2.3:a:openssl:openssl:1.1.1m
-
cpe:2.3:a:openssl:openssl:1.1.1n
-
cpe:2.3:a:openssl:openssl:3.0.0
-
cpe:2.3:a:openssl:openssl:3.0.1
-
cpe:2.3:a:openssl:openssl:3.0.2
-
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0
-
cpe:2.3:a:oracle:mysql_server:5.0.0
-
cpe:2.3:a:oracle:mysql_server:5.7.0
-
cpe:2.3:a:oracle:mysql_server:5.7.26
-
cpe:2.3:a:oracle:mysql_server:5.7.27
-
cpe:2.3:a:oracle:mysql_server:5.7.28
-
cpe:2.3:a:oracle:mysql_server:5.7.32
-
cpe:2.3:a:oracle:mysql_server:5.7.33
-
cpe:2.3:a:oracle:mysql_server:5.7.34
-
cpe:2.3:a:oracle:mysql_server:5.7.35
-
cpe:2.3:a:oracle:mysql_server:5.7.36
-
cpe:2.3:a:oracle:mysql_server:5.7.38
-
cpe:2.3:a:oracle:mysql_server:8.0.0
-
cpe:2.3:a:oracle:mysql_server:8.0.15
-
cpe:2.3:a:oracle:mysql_server:8.0.17
-
cpe:2.3:a:oracle:mysql_server:8.0.22
-
cpe:2.3:a:oracle:mysql_server:8.0.23
-
cpe:2.3:a:oracle:mysql_server:8.0.24
-
cpe:2.3:a:oracle:mysql_server:8.0.25
-
cpe:2.3:a:oracle:mysql_server:8.0.26
-
cpe:2.3:a:oracle:mysql_server:8.0.27
-
cpe:2.3:a:oracle:mysql_server:8.0.28
-
cpe:2.3:a:oracle:mysql_server:8.0.29
-
cpe:2.3:a:oracle:mysql_workbench:-
-
cpe:2.3:a:oracle:mysql_workbench:5.2.47
-
cpe:2.3:a:oracle:mysql_workbench:6.0.9
-
cpe:2.3:a:oracle:mysql_workbench:6.1.7
-
cpe:2.3:a:oracle:mysql_workbench:6.2.5
-
cpe:2.3:a:oracle:mysql_workbench:6.3.10
-
cpe:2.3:a:oracle:mysql_workbench:6.3.8
-
cpe:2.3:a:oracle:mysql_workbench:8.0.12
-
cpe:2.3:a:oracle:mysql_workbench:8.0.13
-
cpe:2.3:a:oracle:mysql_workbench:8.0.14
-
cpe:2.3:a:oracle:mysql_workbench:8.0.15
-
cpe:2.3:a:oracle:mysql_workbench:8.0.16
-
cpe:2.3:a:oracle:mysql_workbench:8.0.17
-
cpe:2.3:a:oracle:mysql_workbench:8.0.18
-
cpe:2.3:a:oracle:mysql_workbench:8.0.19
-
cpe:2.3:a:oracle:mysql_workbench:8.0.20
-
cpe:2.3:a:oracle:mysql_workbench:8.0.21
-
cpe:2.3:a:oracle:mysql_workbench:8.0.22
-
cpe:2.3:a:oracle:mysql_workbench:8.0.23
-
cpe:2.3:a:oracle:mysql_workbench:8.0.24
-
cpe:2.3:a:oracle:mysql_workbench:8.0.25
-
cpe:2.3:a:oracle:mysql_workbench:8.0.26
-
cpe:2.3:a:oracle:mysql_workbench:8.0.27
-
cpe:2.3:a:oracle:mysql_workbench:8.0.29
-
cpe:2.3:a:siemens:brownfield_connectivity_gateway:*
-
cpe:2.3:h:netapp:a250:-
-
cpe:2.3:h:netapp:a700s:-
-
cpe:2.3:h:netapp:aff_500f:-
-
cpe:2.3:h:netapp:aff_8300:-
-
cpe:2.3:h:netapp:aff_8700:-
-
cpe:2.3:h:netapp:aff_a400:-
-
cpe:2.3:h:netapp:fabric-attached_storage_a400:-
-
cpe:2.3:h:netapp:fas_500f:-
-
cpe:2.3:h:netapp:fas_8300:-
-
cpe:2.3:h:netapp:fas_8700:-
-
cpe:2.3:h:netapp:h300e:-
-
cpe:2.3:h:netapp:h300s:-
-
cpe:2.3:h:netapp:h410s:-
-
cpe:2.3:h:netapp:h500e:-
-
cpe:2.3:h:netapp:h500s:-
-
cpe:2.3:h:netapp:h700e:-
-
cpe:2.3:h:netapp:h700s:-
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:35
-
cpe:2.3:o:fedoraproject:fedora:36
-
cpe:2.3:o:netapp:a250_firmware:-
-
cpe:2.3:o:netapp:a700s_firmware:-
-
cpe:2.3:o:netapp:aff_500f_firmware:-
-
cpe:2.3:o:netapp:aff_8300_firmware:-
-
cpe:2.3:o:netapp:aff_8700_firmware:-
-
cpe:2.3:o:netapp:aff_a400_firmware:-
-
cpe:2.3:o:netapp:fabric-attached_storage_a400_firmware:-
-
cpe:2.3:o:netapp:fas_500f_firmware:-
-
cpe:2.3:o:netapp:fas_8300_firmware:-
-
cpe:2.3:o:netapp:fas_8700_firmware:-
-
cpe:2.3:o:netapp:h300e_firmware:-
-
cpe:2.3:o:netapp:h300s_firmware:-
-
cpe:2.3:o:netapp:h410s_firmware:-
-
cpe:2.3:o:netapp:h500e_firmware:-
-
cpe:2.3:o:netapp:h500s_firmware:-
-
cpe:2.3:o:netapp:h700e_firmware:-
-
cpe:2.3:o:netapp:h700s_firmware:-