You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Container locations found at
/var/lib/docker/overlay2/2c8b674dbcaeba17980b1e73ffbca5b22ddff4bbb2ec5a99d2eb39065e8fd5a5/diff/usr/bin/openssl
/var/lib/docker/overlay2/bd5700efed7d6206a58c205213a9d5205ac42759343c8a0f0975fba197057f85/merged/usr/bin/openssl
/var/lib/docker/overlay2/3f7d8dcc7c2f2c95be10b79b32cef72d6524b5a263a2e74b02d11363e5be755f/diff/usr/bin/openssl
/var/lib/docker/overlay2/56a86609a5c358b00335308a359f1488f072a6334a2581efff2500ec3ef757ee/diff/usr/bin/openssl
/var/lib/docker/overlay2/c4e78ad6d7d8cc176098872c6bacea5353bf9de0df17865d3b09ba7b439931c2/merged/usr/bin/openssl
Finding -
The version of OpenSSL installed on the remote host is prior to 3.0.4. It is, therefore, affected by a vulnerability as referenced in the 3.0.4 advisory.
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)
Risk Information
RISK FACTOR
Critical
CVSS BASE SCORE
10.0
CVSS TEMPORAL SCORE
7.4
CVSS VECTOR
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
9.8
CVSS3 TEMPORAL SCORE
8.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
06/20/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
06/20/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE CVE-2022-2068
IAVA
2022-A-0257-S
The text was updated successfully, but these errors were encountered:
Scan Performed by Tenable.IO
Deployed in AWS GovCloud
Base OS RHEL 8.8
Mirth 4.4.0 docker deployment
output from docker exec -it ... /bin/bash -> openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Container locations found at
/var/lib/docker/overlay2/2c8b674dbcaeba17980b1e73ffbca5b22ddff4bbb2ec5a99d2eb39065e8fd5a5/diff/usr/bin/openssl
/var/lib/docker/overlay2/bd5700efed7d6206a58c205213a9d5205ac42759343c8a0f0975fba197057f85/merged/usr/bin/openssl
/var/lib/docker/overlay2/3f7d8dcc7c2f2c95be10b79b32cef72d6524b5a263a2e74b02d11363e5be755f/diff/usr/bin/openssl
/var/lib/docker/overlay2/56a86609a5c358b00335308a359f1488f072a6334a2581efff2500ec3ef757ee/diff/usr/bin/openssl
/var/lib/docker/overlay2/c4e78ad6d7d8cc176098872c6bacea5353bf9de0df17865d3b09ba7b439931c2/merged/usr/bin/openssl
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2068
Finding -
The version of OpenSSL installed on the remote host is prior to 3.0.4. It is, therefore, affected by a vulnerability as referenced in the 3.0.4 advisory.
Risk Information
RISK FACTOR
Critical
CVSS BASE SCORE
10.0
CVSS TEMPORAL SCORE
7.4
CVSS VECTOR
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS TEMPORAL VECTOR
E:U/RL:OF/RC:C
CVSS3 BASE SCORE
9.8
CVSS3 TEMPORAL SCORE
8.5
CVSS3 VECTOR
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS3 TEMPORAL VECTOR
E:U/RL:O/RC:C
IVAM SEVERITY
I
Vulnerability Information
VULN PUBLISHED
06/20/2022 at 5:00 PM
EXPLOITABILITY
PATCH PUBLISHED
06/20/2022 at 5:00 PM
CPE
cpe:/a:openssl:openssl
Reference Information
CVE
CVE-2022-2068
IAVA
2022-A-0257-S
The text was updated successfully, but these errors were encountered: