/

CVE-2022-1292 Report - Details, Severity, Advisories and More

CVE-2022-1292 Report - Details, Severity, Advisories and More

Twingate Team

Dec 29, 2023

CVE-2022-1292 is a critical command injection vulnerability affecting systems that use the c_rehash script, specifically those running certain versions of OpenSSL. With a severity score of 9.8, this vulnerability allows attackers to execute arbitrary commands with the privileges of the script due to improper sanitization of shell metacharacters. The issue impacts various operating systems and products that utilize OpenSSL, such as Debian Linux, Fedora Linux, and Oracle MySQL Server. To mitigate the risk, it is recommended to update to the fixed versions of OpenSSL.

How do I know if I'm affected?

If you're using OpenSSL, you might be affected by this vulnerability. This issue is present in OpenSSL versions 1.0.2 to 1.0.2zd, 1.1.1 to 1.1.1n, and 3.0.0 to 3.0.2. The vulnerability is due to the c_rehash script not properly sanitizing shell metacharacters, which could allow an attacker to execute arbitrary commands with the script's privileges. To check if you're affected, verify the version of OpenSSL you're using and see if it falls within the mentioned ranges.

What should I do if I'm affected?

If you're affected by this vulnerability, it's important to update your OpenSSL to a fixed version (3.0.3, 1.1.1o, or 1.0.2ze). For Debian users, upgrade your OpenSSL package to 1.1.0l-1~deb9u6. Fedora users can update using the "dnf" command, following instructions on the Fedora 36 and Fedora 35 update pages.

Where can I go to learn more?

For more information on the CVE-2022-1292 vulnerability and how to address it, refer to the following resources:

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-1292 vulnerability, also known as Command Injection in the c_rehash script, is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was added to the National Vulnerability Database on 05/03/2022. There is no specific due date mentioned, but the required action is to replace the use of the c_rehash script with the OpenSSL rehash command line tool and update to fixed versions of OpenSSL (3.0.3, 1.1.1o, or 1.0.2ze) to mitigate the vulnerability.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-78, involves improper neutralization of special elements in an OS command, leading to command injection. Updating OpenSSL to fixed versions addresses this issue.

For more details

CVE-2022-1292, a critical command injection vulnerability, affects various systems using the c_rehash script. By updating OpenSSL to fixed versions and following recommended mitigation strategies, users can protect their systems from this vulnerability. For a comprehensive understanding, including its description, severity, technical details, and known affected software configurations, refer to the NVD page.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2022-1292 Report - Details, Severity, Advisories and More

CVE-2022-1292 Report - Details, Severity, Advisories and More

Twingate Team

Dec 29, 2023

CVE-2022-1292 is a critical command injection vulnerability affecting systems that use the c_rehash script, specifically those running certain versions of OpenSSL. With a severity score of 9.8, this vulnerability allows attackers to execute arbitrary commands with the privileges of the script due to improper sanitization of shell metacharacters. The issue impacts various operating systems and products that utilize OpenSSL, such as Debian Linux, Fedora Linux, and Oracle MySQL Server. To mitigate the risk, it is recommended to update to the fixed versions of OpenSSL.

How do I know if I'm affected?

If you're using OpenSSL, you might be affected by this vulnerability. This issue is present in OpenSSL versions 1.0.2 to 1.0.2zd, 1.1.1 to 1.1.1n, and 3.0.0 to 3.0.2. The vulnerability is due to the c_rehash script not properly sanitizing shell metacharacters, which could allow an attacker to execute arbitrary commands with the script's privileges. To check if you're affected, verify the version of OpenSSL you're using and see if it falls within the mentioned ranges.

What should I do if I'm affected?

If you're affected by this vulnerability, it's important to update your OpenSSL to a fixed version (3.0.3, 1.1.1o, or 1.0.2ze). For Debian users, upgrade your OpenSSL package to 1.1.0l-1~deb9u6. Fedora users can update using the "dnf" command, following instructions on the Fedora 36 and Fedora 35 update pages.

Where can I go to learn more?

For more information on the CVE-2022-1292 vulnerability and how to address it, refer to the following resources:

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-1292 vulnerability, also known as Command Injection in the c_rehash script, is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was added to the National Vulnerability Database on 05/03/2022. There is no specific due date mentioned, but the required action is to replace the use of the c_rehash script with the OpenSSL rehash command line tool and update to fixed versions of OpenSSL (3.0.3, 1.1.1o, or 1.0.2ze) to mitigate the vulnerability.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-78, involves improper neutralization of special elements in an OS command, leading to command injection. Updating OpenSSL to fixed versions addresses this issue.

For more details

CVE-2022-1292, a critical command injection vulnerability, affects various systems using the c_rehash script. By updating OpenSSL to fixed versions and following recommended mitigation strategies, users can protect their systems from this vulnerability. For a comprehensive understanding, including its description, severity, technical details, and known affected software configurations, refer to the NVD page.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2022-1292 Report - Details, Severity, Advisories and More

Twingate Team

Dec 29, 2023

CVE-2022-1292 is a critical command injection vulnerability affecting systems that use the c_rehash script, specifically those running certain versions of OpenSSL. With a severity score of 9.8, this vulnerability allows attackers to execute arbitrary commands with the privileges of the script due to improper sanitization of shell metacharacters. The issue impacts various operating systems and products that utilize OpenSSL, such as Debian Linux, Fedora Linux, and Oracle MySQL Server. To mitigate the risk, it is recommended to update to the fixed versions of OpenSSL.

How do I know if I'm affected?

If you're using OpenSSL, you might be affected by this vulnerability. This issue is present in OpenSSL versions 1.0.2 to 1.0.2zd, 1.1.1 to 1.1.1n, and 3.0.0 to 3.0.2. The vulnerability is due to the c_rehash script not properly sanitizing shell metacharacters, which could allow an attacker to execute arbitrary commands with the script's privileges. To check if you're affected, verify the version of OpenSSL you're using and see if it falls within the mentioned ranges.

What should I do if I'm affected?

If you're affected by this vulnerability, it's important to update your OpenSSL to a fixed version (3.0.3, 1.1.1o, or 1.0.2ze). For Debian users, upgrade your OpenSSL package to 1.1.0l-1~deb9u6. Fedora users can update using the "dnf" command, following instructions on the Fedora 36 and Fedora 35 update pages.

Where can I go to learn more?

For more information on the CVE-2022-1292 vulnerability and how to address it, refer to the following resources:

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-1292 vulnerability, also known as Command Injection in the c_rehash script, is not listed in CISA's Known Exploited Vulnerabilities Catalog. It was added to the National Vulnerability Database on 05/03/2022. There is no specific due date mentioned, but the required action is to replace the use of the c_rehash script with the OpenSSL rehash command line tool and update to fixed versions of OpenSSL (3.0.3, 1.1.1o, or 1.0.2ze) to mitigate the vulnerability.

Weakness enumeration

The weakness enumeration for this vulnerability is categorized as CWE-78, involves improper neutralization of special elements in an OS command, leading to command injection. Updating OpenSSL to fixed versions addresses this issue.

For more details

CVE-2022-1292, a critical command injection vulnerability, affects various systems using the c_rehash script. By updating OpenSSL to fixed versions and following recommended mitigation strategies, users can protect their systems from this vulnerability. For a comprehensive understanding, including its description, severity, technical details, and known affected software configurations, refer to the NVD page.