Security Advisory IBA-2022-05
OpenSSL component vulnerability
| Publishing Date: | 2022-08-08 |
| Last Update: | 2022-08-08 |
| Tracking ID: | IBA-2022-05 |
| CVE: | CVE-2022-0778 |
| CVSS Base Score: | 7.5 |
| CVSS v3 Vector: | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Summary
A vulnerability in the OpenSSL component, which is used by Kafka in ibaPDA, could allow an attacker to create a denial of service (DoS) condition by creating a specially crafted certificate with elliptic curves.
Affected products
ibaPDA
All versions prior to v8.0.2
How do I know that I'm affected
Check the version number in the title of the status application on the system where the server is running.
Customer Actions
Please update to ibaPDA v8.0.2 or higher.
Technical Details
Issue
The Kafka component used by ibaPDA used an older version of OpenSSL (1.1.1l) that was vulnerable to the above mentioned CVE-2022-0778. An attacker could have used a specially crafted certificate with elliptic curves to create a denial of service condition where a function would loop forever.
Timeline
| 2022-07-16 | Notified by iba A&C Team |
| 2022-08-03 | New ibaPDA version released |
| 2022-08-08 | Security advisory published |