| Vulnerability Name: | CVE-2022-2097 (CCN-230425) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2022-07-04 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2022-07-04 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2023-04-20 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | OpenSSL could allow a remote attacker to obtain sensitive information, caused by improper encryption of data by the AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-2097 Source: openssl-security@openssl.org Type: Third Party Advisory openssl-security@openssl.org Source: XF Type: UNKNOWN openssl-cve20222097-info-disc(230425) Source: openssl-security@openssl.org Type: Mailing List, Patch, Vendor Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Mailing List, Patch, Vendor Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Mailing List, Third Party Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Mailing List, Third Party Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Mailing List, Third Party Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Mailing List, Third Party Advisory openssl-security@openssl.org Source: CCN Type: OpenSSL Security Advisory [5 July 2022] OpenSSL Security Advisory [5 July 2022] Source: CCN Type: Node.js Blog, 2022-07-07 July 7th 2022 Security Releases Source: openssl-security@openssl.org Type: Third Party Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: Third Party Advisory openssl-security@openssl.org Source: openssl-security@openssl.org Type: UNKNOWN openssl-security@openssl.org Source: openssl-security@openssl.org Type: Third Party Advisory openssl-security@openssl.org Source: CCN Type: IBM Security Bulletin 6604327 (App Connect Professional) OpenSSL vulnerability affects App Connect professional v7.5.4. Source: CCN Type: IBM Security Bulletin 6613025 (App Connect Enterprise) Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus Source: CCN Type: IBM Security Bulletin 6613431 (AIX) AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL Source: CCN Type: IBM Security Bulletin 6613565 (Spectrum Control) IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6614565 (b-type SAN directors and switches) Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. Source: CCN Type: IBM Security Bulletin 6616631 (MQ Operator) BM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go Source: CCN Type: IBM Security Bulletin 6619903 (Spectrum Copy Data Management) Vulnerabilities in Linux Kernel and OpenSSL may affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus) Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6619953 (WIoTP MessageGateway) Vulnerabilities in openSSL and WebSphere Liberty affect IBM WIoTP MessageGateway (CVE-2022-22476 CVE-2019-11777 CVE-2022-22475 CVE-2022-2097 CVE-2022-2068 CVE-2022-1292) Source: CCN Type: IBM Security Bulletin 6620647 (Sterling Connect:Direct for UNIX) IBM Sterling Connect:Direct for UNIX container is vulnerable to obtain sensitive information due to OpenSSL (CVE-2022-2097) Source: CCN Type: IBM Security Bulletin 6825155 (Watson Assistant for Cloud Pak for data) Multiple Vulnerabilities in node.js Source: CCN Type: IBM Security Bulletin 6831591 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak Source: CCN Type: IBM Security Bulletin 6837609 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container operands may be vulnerable to loss of confidentiality due to CVE-2022-2097 Source: CCN Type: IBM Security Bulletin 6842263 (Netcool/System Service Monitor) Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors Source: CCN Type: IBM Security Bulletin 6845365 (QRadar WinCollect Agent) IBM QRadar Wincollect agent is vulnerable to using components with know vulnerabilities Source: CCN Type: IBM Security Bulletin 6855297 (Security Verify Access) IBM Security Verify Access Appliance includes components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6855543 (Rational ClearQuest) Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097) Source: CCN Type: IBM Security Bulletin 6855595 (Rational ClearCase) Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068) Source: CCN Type: IBM Security Bulletin 6857607 (InfoSphere Information Server) Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server Source: CCN Type: IBM Security Bulletin 6890853 (Watson Speech Services Cartridge for Cloud Pak for Data) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to information exposure in OpenSSL (CVE-2022-2097) Source: CCN Type: Mend Vulnerability Database CVE-2022-2097 Source: openssl-security@openssl.org Type: Vendor Advisory openssl-security@openssl.org | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration RedHat 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||