CVE-2022-23408 — Use of Insufficiently Random Values in Wolfssl

CWE-330 — Use of Insufficiently Random Values4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.3%

top 48.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl

Timeline

PublishedJan 18

Latest updateJan 19

Description

wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶debiandebian/wolfssl< wolfssl 5.1.1-1 (bookworm)

▶NVDwolfssl/wolfssl5.0.0 — 5.1.1

▶Debianwolfssl/wolfssl< 5.1.1-1+2

🔴Vulnerability Details

GHSA

GHSA-xx9h-ppjx-3rjx: wolfSSL 5↗2022-01-19

▶

OSV

CVE-2022-23408: wolfSSL 5↗2022-01-18

▶

📋Vendor Advisories

Debian

CVE-2022-23408: wolfssl - wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This a...↗2022

▶