CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability

The code in OpenSSL that implements the SSLv3 protocol does not properly handle malformed SSLv3 handshake messages, which could, in combination with other inputs, cause a denial of service.

SSLv3 is supported only on backward-compatible (≥ SSLv2) protocol clients; therefore, any server that supports SSLv3 must support all the backward-compatible protocols as well. This condition does not apply to SSLv2, which is not supported on any protocol clients.

There are two issues with the SSLv3 protocol that could lead to a denial of service: 1. SSLv3 messages can have more data than the server can process, causing a crash. 2. A malformed handshake message can be processed by OpenSSL, causing a crash.

MITRE has assigned the name CVE-2022 to this issue because it is a condition that could be caused by malformed handshake messages. Details about CVE-2022 MITRE CVE ID CVE-2022 details CVE-2022-21883 OpenSSL has a denial of service vulnerability due to an improper handling of malformed X.509 certificates. This could occur if an application using OpenSSL is provided with a specially crafted certificate from an untrusted source. This issue is due to improper handling of malred X.509 certificates. Red Hat Enterprise Linux 6 does not contain this issue as it has been fixed in a later update. CVE-2022-21889 OpenSSL has

Cryptographic Issues

This issue is classified as a vulnerability in the OpenSSL cryptographic library due to improper handling of malformed X.509 certificates. This could occur if an application using OpenSSL is provided with a specially crafted certificate from an untrusted source. This issue is due to improper handling of malformed X.509 certificates. Red Hat Enterprise Linux 6 does not contain this issue as it has been fixed in a later update.
This issue was assigned CVE-2022 by MITRE because it is caused by errors in the SSLv3 protocol implementation, specifically errors in how malformed messages are processed and the handling of extra data injected into the handshake message stream during processing.

References:

- https://blog.geekpwn.com/6-reasons-why-digital-marketing-is-important
- https://www.mitre.org/sites/default/files/advisories/MITRE_OpenSSL_DNS_DoS_091115.html

References to More Information https://www.mitre.org/data/definitions/CVE-2022-21848

https://security.openwall.com/advisories/OWA-2011-01
https://secunia.com/advisories/4824

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 05/23/2022 17:29:00 UTC

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21848