CVE-2022-1343

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0.0 through 3.0.2

Description The issue is related to the function OCSP basic verify in the OpenSSL library, which verifies the signer certificate on an OCSP response. When the non-default flag OCSP NOCHECKS is used, the response will be positive even if the response signing certificate fails to verify. This can allow a remote attacker to implement a "man-in-the-middle" attack. The command line OpenSSL "ocsp" application is also impacted when verifying an OCSP response with the "-no cert checks" option.

Recommendations For OpenSSL versions 3.0.0 through 3.0.2, update to OpenSSL 3.0.3 to fix the issue. As a temporary workaround, consider avoiding the use of the OCSP NOCHECKS flag in the OCSP basic verify function until a patch is available. Restrict access to the command line OpenSSL "ocsp" application to minimize the risk of exploitation when verifying OCSP responses with the "-no cert checks" option.