CVE-2022-2068 is a critical shell command injection vulnerability found in the c_rehash script distributed by some operating systems, including OpenSSL, Debian Linux, and Fedora. This vulnerability allows attackers to execute arbitrary commands with the privileges of the script, posing a significant security risk. Affecting a wide range of systems, it has been assigned a severity rating of 9.8 (Critical) on the CVSS 3.x scale and 10.0 (High) on the CVSS 2.0 scale. Security updates have been released to address this issue and protect affected systems.
How do I know if I'm affected?
If you're using Fedora 35 or 36, Debian Linux, or certain NetApp products, you might be affected by this vulnerability. In Fedora 35, OpenSSL versions 1.1.1p or earlier are affected, while in Fedora 36, it's openssl1.1 version 1.1.1p. For Debian, the affected versions are 1.1.1n-0+deb10u3 (buster) and 1.1.1n-0+deb11u3 (bullseye). NetApp products like Brocade SAN Navigator, FAS/AFF Baseboard Management Controller, and ONTAP Antivirus Connector, among others, are also impacted. Check your software versions to determine if you're at risk.
What should I do if I'm affected?
If you're affected by this vulnerability, it's important to update your software to the fixed versions. For Fedora users, use the "dnf" update program to install the update. Debian users should upgrade their OpenSSL packages to the fixed versions mentioned on the Debian Security Advisory page. Always follow recommendations and advisories provided by your software vendor or third-party sources.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
Yes, it is in CISA's Known Exploited Vulnerabilities Catalog. This issue, found in the c_rehash script, allows attackers to execute arbitrary commands due to improper sanitization of shell metacharacters. To address this issue, it's crucial to update your software to the fixed versions provided by your vendor.
Weakness enumeration
The weakness enumeration for this vulnerability is categorized as CWE-78 and involves improper neutralization of special elements in OS commands, also known as OS command injection. Updating OpenSSL to fixed versions helps resolve this issue.
For more details
CVE-2022-2068 is a critical vulnerability that affects various systems and software configurations. To protect your system, it's essential to update your software to the fixed versions provided by your vendor. For a comprehensive understanding of the vulnerability, including its description, severity, technical details, and known affected software configurations, visit the NVD page or the links below.
