UBUNTU-CVE-2022-40735

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-40735

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-40735.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-40735

Related

CVE-2022-40735
USN-6854-1

Published

2022-11-14T23:15:00Z

Modified

2025-01-13T10:23:31Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.

References

Affected packages

Ubuntu:20.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@1.1.1f-1ubuntu2.22?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.1f-1ubuntu2.22

Affected versions

1.*

1.1.1c-1ubuntu4

1.1.1d-2ubuntu3

1.1.1d-2ubuntu6

1.1.1f-1ubuntu1

1.1.1f-1ubuntu2

1.1.1f-1ubuntu2.1

1.1.1f-1ubuntu2.2

1.1.1f-1ubuntu2.3

1.1.1f-1ubuntu2.4

1.1.1f-1ubuntu2.5

1.1.1f-1ubuntu2.8

1.1.1f-1ubuntu2.9

1.1.1f-1ubuntu2.10

1.1.1f-1ubuntu2.11

1.1.1f-1ubuntu2.12

1.1.1f-1ubuntu2.13

1.1.1f-1ubuntu2.15

1.1.1f-1ubuntu2.16

1.1.1f-1ubuntu2.17

1.1.1f-1ubuntu2.18

1.1.1f-1ubuntu2.19

1.1.1f-1ubuntu2.20

1.1.1f-1ubuntu2.21

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libcrypto1.1-udeb"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libssl1.1"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libssl1.1-dbgsym"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "libssl1.1-udeb"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "openssl"
        },
        {
            "binary_version": "1.1.1f-1ubuntu2.22",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "availability": "No subscription required",
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.22.5~dfsg-5ubuntu1

12.22.7~dfsg-2ubuntu1

12.22.7~dfsg-2ubuntu3

12.22.9~dfsg-1ubuntu2

12.22.9~dfsg-1ubuntu3

12.22.9~dfsg-1ubuntu3.1

12.22.9~dfsg-1ubuntu3.2

12.22.9~dfsg-1ubuntu3.3

12.22.9~dfsg-1ubuntu3.4

12.22.9~dfsg-1ubuntu3.5

12.22.9~dfsg-1ubuntu3.6

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.2-0ubuntu1.16

Affected versions

1.*

1.1.1l-1ubuntu1

3.*

3.0.0-1ubuntu1

3.0.1-0ubuntu1

3.0.2-0ubuntu1

3.0.2-0ubuntu1.1

3.0.2-0ubuntu1.2

3.0.2-0ubuntu1.4

3.0.2-0ubuntu1.5

3.0.2-0ubuntu1.6

3.0.2-0ubuntu1.7

3.0.2-0ubuntu1.8

3.0.2-0ubuntu1.9

3.0.2-0ubuntu1.10

3.0.2-0ubuntu1.12

3.0.2-0ubuntu1.13

3.0.2-0ubuntu1.14

3.0.2-0ubuntu1.15

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "libssl3-dbgsym"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "availability": "No subscription required",
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:FIPS-preview:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.12+Fips1?arch=source&distro=fips-preview/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:FIPS-updates:22.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.2-0ubuntu1.16+Fips1?arch=source&distro=fips-updates/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.2-0ubuntu1.16+Fips1

Affected versions

3.*

3.0.2-0ubuntu1.10+Fips1

3.0.2-0ubuntu1.12+Fips1

3.0.2-0ubuntu1.14+Fips1

3.0.2-0ubuntu1.15+Fips1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "libssl3"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "libssl3-dbgsym"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.2-0ubuntu1.16+Fips1",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.13-0ubuntu3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl3t64-dbgsym"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "availability": "No subscription required",
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / openssl

Package

Name: openssl
Purl: pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.13-0ubuntu3

Affected versions

3.*

3.0.10-1ubuntu2

3.0.10-1ubuntu2.1

3.0.10-1ubuntu3

3.0.10-1ubuntu4

3.0.13-0ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl-dev"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl-doc"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl3t64"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "libssl3t64-dbgsym"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "openssl"
        },
        {
            "binary_version": "3.0.13-0ubuntu3",
            "binary_name": "openssl-dbgsym"
        }
    ],
    "availability": "No subscription required",
    "ubuntu_priority": "medium"
}