available Corrective releases of the cryptographic library Openssl 3.0.2 and 1.1.1N . The update is eliminated vulnerability ( CVE-2022-0778 ), which can be used to organize a refusal of maintenance (infinite processor loop). To operate vulnerabilities, it is enough to achieve a specially decorated certificate. The problem is manifested in both server and client applications that can handle certificates transferred to the user.
The problem is caused by an error in the BN_MOD_SQRT () function, leading to the focus when calculating the square root in the module other than the simple number. The function is used in parseing certificates with keys based on elliptic curves. Operation comes down to substitution to the certificate of incorrect parameters of the elliptical curve. Since the problem is manifested in the stage before checking the certificate digital signature, the attack can be done by a non-authenticated user capable of achieving a client or server certificate to applications using OpenSSL.
Vulnerability also affects the developed OpenBSD project library library, the correction for which is proposed in corrective Releases Librassl 3.3.6, 3.4.3 and 3.5.1.