CVE-2022-38152

Name of the Vulnerable Software and Affected Versions wolfSSL versions prior to 5.5.0

Description An issue was discovered in wolfSSL when a TLS 1.3 client connects to a wolfSSL server and SSL clear is called on its session, causing the server to crash with a segmentation fault. This occurs in the second session, created through TLS session resumption, which reuses the initial struct WOLFSSL. The server crashes when it reuses the previous session structure by calling wolfSSL clear(WOLFSSL* ssl) on it, and then receives a Client Hello that resumes the previous session. This bug is only triggered when resuming sessions using TLS session resumption and affects servers that use wolfSSL clear instead of the recommended SSL free; SSL new sequence. wolfSSL clear is part of wolfSSL's compatibility layer and is not enabled by default.

Recommendations For versions prior to 5.5.0, consider using the recommended SSL free; SSL new sequence instead of wolfSSL clear to avoid the issue. As a temporary workaround, avoid reusing the previous session structure by calling wolfSSL clear(WOLFSSL* ssl) on it, and instead use the recommended sequence to create a new session. Update to version 5.5.0 or later to resolve the issue.