Vulnerability Name:

CVE-2022-1292 (CCN-225619)

Assigned:2022-05-03
Published:2022-05-03
Updated:2023-02-14
Summary:The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
6.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
6.7 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
5.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-77
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2022-1292

Source: openssl-security@openssl.org
Type: UNKNOWN
openssl-security@openssl.org

Source: XF
Type: UNKNOWN
openssl-cve20221292-cmd-exec(225619)

Source: openssl-security@openssl.org
Type: Mailing List, Patch, Vendor Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Broken Link
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Mailing List, Patch, Vendor Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Mailing List, Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Mailing List, Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Mailing List, Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Source: CCN
Type: IBM Security Bulletin 6590211 (Spectrum Control)
Vulnerability in OpenSSL affects IBM Spectrum Control (CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6596085 (QRadar SIEM)
IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6599331 (i)
OpenSSL for IBM i is vulnerable to command injection due to a flaw in c_rehash script (CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6601085 (App Connect Professional)
OpenSSL vulnerability affects App Connect professional v7.5.4.

Source: CCN
Type: IBM Security Bulletin 6602289 (Netcool/System Service Monitor)
Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors

Source: CCN
Type: IBM Security Bulletin 6602981 (Rational ClearQuest)
Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6605801 (Rational ClearCase)
Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778)

Source: CCN
Type: IBM Security Bulletin 6613431 (AIX)
AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL

Source: CCN
Type: IBM Security Bulletin 6616067 (Virtualization Engine TS7700 3957-VEC)
Due to use of OpenSSL, IBM Virtualization Engine TS7700 is vulnerable to denial of service (CVE-2022-0778) and privilege escalation (CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6616631 (MQ Operator)
BM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go

Source: CCN
Type: IBM Security Bulletin 6619903 (Spectrum Copy Data Management)
Vulnerabilities in Linux Kernel and OpenSSL may affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus)
Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6619953 (WIoTP MessageGateway)
Vulnerabilities in openSSL and WebSphere Liberty affect IBM WIoTP MessageGateway (CVE-2022-22476 CVE-2019-11777 CVE-2022-22475 CVE-2022-2097 CVE-2022-2068 CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6620285 (Sterling Connect:Direct for UNIX)
IBM Sterling Connect:Direct for UNIX Container is vulnerable to execute arbitrary commands due to OpenSSL (CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 6622079 (Spectrum Protect Plus)
Vulnerabilities in OpenSSL affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents

Source: CCN
Type: IBM Security Bulletin 6831591 (Robotic Process Automation)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6837605 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to CVE-2022-1292

Source: CCN
Type: IBM Security Bulletin 6855297 (Security Verify Access)
IBM Security Verify Access Appliance includes components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6857607 (InfoSphere Information Server)
Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6890819 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 )

Source: CCN
Type: IBM Security Bulletin 6982841 (Netcool Operations Insight)
Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6986227 (PureData System for Operational Analytics)
A security vulnerability has been identified in OpenSSL in IBM? AIX? shipped with IBM PureData System for Operational Analytics ( CVE-2022-1292)

Source: CCN
Type: IBM Security Bulletin 7001867 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: OpenSSL Security Advisory [03 May 2022]
OpenSSL Security Advisory [03 May 2022]

Source: openssl-security@openssl.org
Type: Vendor Advisory
openssl-security@openssl.org

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: openssl-security@openssl.org
Type: Third Party Advisory
openssl-security@openssl.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.1.1n:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.2zd:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearcase:8.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearcase:8.0.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:netcool/system_service_monitor:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearquest:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearcase:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_connect:direct:4.3.0:*:*:*:unix:*:*:*
  • OR cpe:/a:ibm:sterling_connect:direct:6.0.0:*:*:*:unix:*:*:*
  • OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearquest:9.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_clearquest:9.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7630
    P
    		libopenssl-1_1-devel-1.1.1l-150500.15.4 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7631
    P
    		libopenssl-3-devel-3.0.8-150500.3.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:8084
    P
    		libopenssl-1_0_0-devel-1.0.2p-150000.3.73.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20226224
    P
    		RHSA-2022:6224: openssl security and bug fix update (Moderate)
    2022-08-30
    oval:com.redhat.rhsa:def:20225818
    P
    		RHSA-2022:5818: openssl security update (Moderate)
    2022-08-03
    oval:org.opensuse.security:def:119620
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-07-07
    oval:org.opensuse.security:def:95348
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-07-07
    oval:org.opensuse.security:def:119435
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-07-07
    oval:org.opensuse.security:def:3718
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-07-07
    oval:org.opensuse.security:def:563
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-07-07
    oval:org.opensuse.security:def:94043
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:95257
    P
    		Security update for openssl-1_1 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93468
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3625
    P
    		Security update for openssl-3 (Important)
    2022-07-06
    oval:org.opensuse.security:def:94255
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:558
    P
    		Security update for openssl-3 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93622
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3627
    P
    		Security update for openssl-1_1 (Important)
    2022-07-06
    oval:org.opensuse.security:def:94464
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93150
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:560
    P
    		Security update for openssl-1_1 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93829
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:95255
    P
    		Security update for openssl-3 (Important)
    2022-07-06
    oval:org.opensuse.security:def:93310
    P
    		 (Important)
    2022-07-06
    oval:org.opensuse.security:def:42306
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:119429
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:42402
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:118744
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:118934
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:119614
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:43638
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:119239
    P
    		Security update for openssl-1_1 (Moderate)
    2022-07-04
    oval:org.opensuse.security:def:4755
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:125744
    P
    		Security update for openssl-1_0_0 (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:127305
    P
    		Security update for openssl-1_1 (Moderate)
    2022-06-24
    oval:org.opensuse.security:def:6083
    P
    		Security update for openssl-1_1 (Moderate)
    2022-06-24
    oval:org.opensuse.security:def:126908
    P
    		Security update for openssl-1_1 (Moderate)
    2022-06-24
    oval:org.opensuse.security:def:5283
    P
    		Security update for openssl-1_1 (Moderate)
    2022-06-24
    oval:org.opensuse.security:def:125742
    P
    		Security update for openssl-1_1 (Moderate)
    2022-06-24
    oval:org.opensuse.security:def:926
    P
    		Security update for openssl-1_1 (Moderate) (in QA)
    2022-06-20
    oval:org.opensuse.security:def:1240
    P
    		Security update for openssl-1_0_0 (Moderate) (in QA)
    2022-06-20
    oval:org.opensuse.security:def:126901
    P
    		Security update for openssl-1_0_0 (Important)
    2022-06-16
    oval:org.opensuse.security:def:5276
    P
    		Security update for openssl-1_0_0 (Important)
    2022-06-16
    oval:org.opensuse.security:def:125735
    P
    		Security update for openssl-1_0_0 (Important)
    2022-06-16
    oval:org.opensuse.security:def:127298
    P
    		Security update for openssl-1_0_0 (Important)
    2022-06-16
    oval:org.opensuse.security:def:6074
    P
    		Security update for openssl-1_0_0 (Important)
    2022-06-16
    BACK
    openssl openssl 1.0.2
    openssl openssl 1.1.1
    openssl openssl 3.0.0
    openssl openssl 3.0.1
    openssl openssl 3.0.2
    openssl openssl 1.1.1n
    openssl openssl 1.0.2zd
    ibm aix 7.1
    ibm rational clearcase 8.0.1
    ibm rational clearcase 8.0.0
    ibm i 7.2
    ibm netcool/system service monitor 4.0.1
    ibm i 7.3
    ibm aix 7.2
    ibm rational clearquest 9.0.1
    ibm rational clearcase 9.0.1
    ibm infosphere information server 11.7
    ibm spectrum protect plus 10.1.0
    ibm sterling connect:direct 4.3.0
    ibm sterling connect:direct 6.0.0
    ibm i 7.4
    ibm vios 3.1
    ibm rational clearquest 9.0.0
    ibm rational clearquest 9.0.2
    ibm security verify access 10.0.2.0
    ibm security verify access 10.0.0.0
    ibm security verify access 10.0.1.0
    ibm aix 7.3
    ibm qradar security information and event manager 7.5.0 -
    ibm spectrum copy data management 2.2.0.0
    ibm robotic process automation 21.0.1
    ibm robotic process automation 21.0.2
    ibm i 7.5
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm security verify access 10.0.3.0
    ibm robotic process automation 21.0.3
    ibm robotic process automation 21.0.4
    ibm cloud pak for security 1.10.0.0
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm security verify access 10.0.4.0