CVE-2022-2097: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances…

medium5.3CVSS 3.1

AVNACLPRNUINSUCLINAN

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Affected

32 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	openssl	< openssl 3.0.5-1 (bookworm)	openssl 3.0.5-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_edk2_20230301gitf80f052277c8-37_on_azure_linux_3.0	—	—
msrc	azl3_edk2_20240223gitedc6681206c1-1_on_azure_linux_3.0	—	—
msrc	azl3_hvloader_1.0.1-1_on_azure_linux_3.0	—	—
msrc	azl3_hvloader_1.0.1-2_on_azure_linux_3.0	—	—
msrc	azl3_rust_1.75.0-14_on_azure_linux_3.0	—	—
msrc	azl3_rust_1.86.0-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_openssl_1.1.1k-20_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_1.0_arm	—	—
msrc	cbl_mariner_1.0_x64	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
msrc	cm1_openssl_1.1.1k-12_on_cbl_mariner_1.0	—	—
nodejs	nodejs	>= 0 < 12.22.9~dfsg-1ubuntu3.1	12.22.9~dfsg-1ubuntu3.1
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	>= 0 < 1.1.1n-0+deb11u4	1.1.1n-0+deb11u4
openssl	openssl	>= 0 < 3.0.5-1	3.0.5-1
openssl	openssl	>= 0 < 3.0.5-1	3.0.5-1

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

osv7.5HIGH