CVE-2022-2068 - OpenSSL Critical finding

[tbobrykozaki]

Scan Performed by Tenable.IO

Deployed in AWS GovCloud Base OS RHEL 8.8

Mirth 4.4.0 docker deployment output from docker exec -it ... /bin/bash -> openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Container locations found at /var/lib/docker/overlay2/2c8b674dbcaeba17980b1e73ffbca5b22ddff4bbb2ec5a99d2eb39065e8fd5a5/diff/usr/bin/openssl /var/lib/docker/overlay2/bd5700efed7d6206a58c205213a9d5205ac42759343c8a0f0975fba197057f85/merged/usr/bin/openssl /var/lib/docker/overlay2/3f7d8dcc7c2f2c95be10b79b32cef72d6524b5a263a2e74b02d11363e5be755f/diff/usr/bin/openssl /var/lib/docker/overlay2/56a86609a5c358b00335308a359f1488f072a6334a2581efff2500ec3ef757ee/diff/usr/bin/openssl /var/lib/docker/overlay2/c4e78ad6d7d8cc176098872c6bacea5353bf9de0df17865d3b09ba7b439931c2/merged/usr/bin/openssl

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2068

Finding - The version of OpenSSL installed on the remote host is prior to 3.0.4. It is, therefore, affected by a vulnerability as referenced in the 3.0.4 advisory.

• In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)

Risk Information RISK FACTOR Critical CVSS BASE SCORE 10.0 CVSS TEMPORAL SCORE 7.4 CVSS VECTOR AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS TEMPORAL VECTOR E:U/RL:OF/RC:C CVSS3 BASE SCORE 9.8 CVSS3 TEMPORAL SCORE 8.5 CVSS3 VECTOR AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS3 TEMPORAL VECTOR E:U/RL:O/RC:C IVAM SEVERITY I Vulnerability Information VULN PUBLISHED 06/20/2022 at 5:00 PM EXPLOITABILITY PATCH PUBLISHED 06/20/2022 at 5:00 PM CPE cpe:/a:openssl:openssl Reference Information CVE CVE-2022-2068 IAVA 2022-A-0257-S

[jdonextgen]

We've upgraded OpenSSL to version 3.1.3 in the Mirth Connect Eclipse Temurin Docker images to address vulnerabilities that exist in OpenSSL 3.0.2.