7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3996

GHSA ID

GHSA-vr8j-hgmm-jh9r

EPSS Score

0.40782%

CWE

CWE-667

Published

12/13/2022

Updated

10/2/2024

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-3996

CVE-2022-3996: Denial of service by double-checked locking in openssl-src

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the -policy' argument to the command line utilities or by calling either X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-3996

GHSA ID

GHSA-vr8j-hgmm-jh9r

EPSS Score

0.40782%

CWE

CWE-667

Published

12/13/2022

Updated

10/2/2024

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
openssl-src	rust	>= 300.0.0, < 300.0.12	300.0.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper recursive locking in policy constraint handling. The commit diff shows the fix removed a CRYPTO_THREAD_write_lock() call in ossl_policy_cache_set_mapping, which was causing a double-lock scenario. This function is part of the policy processing logic triggered when X509_VERIFY_PARAM_add0_policy() or X509_VERIFY_PARAM_set1_policies() are used, but the actual locking vulnerability resides in ossl_policy_cache_set_mapping during certificate validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I* *n X.*** **rti*i**t* *ont*ins * m*l*orm** poli*y *onstr*int *n* poli*y pro**ssin* is *n**l**, t**n * writ* lo*k will ** t*k*n twi** r**ursiv*ly. On som* op*r*tin* syst*ms (most wi**ly: Win*ows) t*is r*sults in * **ni*l o* s*rvi** w**n t** *****t**

Reasoning

T** vuln*r**ility st*ms *rom improp*r r**ursiv* lo*kin* in poli*y *onstr*int **n*lin*. T** *ommit *i** s*ows t** *ix r*mov** * *RYPTO_T*R***_writ*_lo*k() **ll in ossl_poli*y_*****_s*t_m*ppin*, w*i** w*s **usin* * *ou*l*-lo*k s**n*rio. T*is *un*tion i

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-3996: Denial of service by double-checked locking in openssl-src

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI