CVE-2022-1473

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0.0 through 3.0.2

Description The OPENSSL LH flush() function contains a bug that breaks reuse of the memory occupied by the removed hash table entries. This function is used when decoding certificates or keys. If a long-lived process periodically decodes certificates or keys, its memory usage will expand without bounds and the process might be terminated by the operating system, causing a denial of service. Also, traversing the empty hash table entries will take increasingly more time. Typically, such long-lived processes might be TLS clients or TLS servers configured to accept client certificate authentication.

Recommendations For OpenSSL versions 3.0.0 through 3.0.2, update to OpenSSL 3.0.3 to resolve the issue. As a temporary workaround, consider restricting the use of the OPENSSL LH flush() function until a patch is available. Avoid using this function in long-lived processes that periodically decode certificates or keys to minimize the risk of exploitation.