CVE-2022-1343 - Vulnerability Details

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Netapp	A250 A250 Firmware A700s A700s Firmware Active Iq Unified Manager Aff 500f Aff 500f Firmware Aff 8300 Aff 8300 Firmware Aff 8700 Aff 8700 Firmware Aff A400 Aff A400 Firmware Clustered Data Ontap Clustered Data Ontap Antivirus Connector Fabric-attached Storage A400 Fabric-attached Storage A400 Firmware Fas 500f Fas 500f Firmware Fas 8300 Fas 8300 Firmware Fas 8700 Fas 8700 Firmware H300e H300e Firmware H300s H300s Firmware H410s H410s Firmware H500e H500e Firmware H500s H500s Firmware H700e H700e Firmware H700s H700s Firmware Santricity Smi-s Provider Smi-s Provider Snapmanager Solidfire\, Enterprise Sds \& Hci Storage Node Solidfire \& Hci Management Node
Openssl	Openssl
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vsphere::
	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*
	cpe:2.3:a:netapp:santricity_smi-s_provider:-:::::::*
	cpe:2.3:a:netapp:smi-s_provider:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::hyper-v::
	cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:::::::*
	cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:o:netapp:a250_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:a250:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:netapp:a700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:a700s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:aff_500f_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_500f:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:aff_8300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_8300:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:aff_8700_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_8700:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:aff_a400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:aff_a400:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:fabric-attached_storage_a400_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fabric-attached_storage_a400:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netapp:fas_500f_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fas_500f:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:netapp:fas_8300_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fas_8300:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:netapp:fas_8700_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:fas_8700:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
openssl-1:3.0.1-41.el9_0	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:6224	2022-08-30T00:00:00Z
openssl-1:3.0.1-41.el9_0	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:6224	2022-08-30T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
https://nvd.nist.gov/vuln/detail/CVE-2022-1343
https://security.netapp.com/advisory/ntap-20220602-0009/
https://www.cve.org/CVERecord?id=CVE-2022-1343
https://www.openssl.org/news/secadv/20220503.txt

History

Mon, 05 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2022-05-03T15:15:21.496Z

Updated: 2025-05-05T16:42:39.898Z

Reserved: 2022-04-13T00:00:00.000Z

Link: CVE-2022-1343

Vulnrichment

Updated: 2024-08-03T00:03:05.875Z

NVD

Status : Modified

Published: 2022-05-03T16:15:18.873

Modified: 2025-05-05T17:17:34.273

Link: CVE-2022-1343

Redhat

Severity : Moderate

Publid Date: 2022-05-03T00:00:00Z

Links: CVE-2022-1343 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object