【安全公告:UTSA-2022-000391】-【CVE-2022-2097】

公告编号:作者:USRC发布日期:2022/09/23

【统信安全公告:UTSA-2022-000391】-【CVE-2022-2097】


一、漏洞描述

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

 

二、漏洞信息

漏洞编号:CVE-2022-2097

软件包名:intel-sgx-ssl

漏洞评级:中危

CVSS3.1评分:5.3

 

三、受影响UOS版本

服务器1050e、服务器1021e、服务器1020e

 

四、漏洞检测

检测方法如下:

                通过yum info Packagename查看包的版本信息

结果如下:

                版本<2.10-4.uel20受此漏洞影响,版本>=2.10-4.uel20此漏洞已修复

 

五、修复建议

                更新源后,使用yum install Packagename安装升级

 

六、修复状态

此漏洞补丁已于2022年9月13日推送至外网仓库源

 

七、修复验证

查看intel-sgx-ssl的版本>=2.10-4.uel20,说明此漏洞已修复

 

八、相关链接

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097

https://nvd.nist.gov/vuln/detail/CVE-2022-2097