CVE-2022-2068: 
OpenSSL vulnerability analysis and mitigation

CVE-2022-2068 is a command injection vulnerability discovered in OpenSSL's crehash script. The vulnerability was identified on May 20, 2022, and publicly disclosed on June 21, 2022. It affects OpenSSL versions 1.0.2, 1.1.1, and 3.0. The issue stems from improper sanitization of shell metacharacters in the crehash script, which could allow command injection (OpenSSL Advisory).

The vulnerability is an extension of the previously identified CVE-2022-1292, where additional instances of improper shell metacharacter sanitization were discovered in the c_rehash script. When processing certificate filenames, these values were passed to commands executed through the shell without proper sanitization. The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA).

On systems where the c_rehash script is automatically executed, an attacker could execute arbitrary commands with the privileges of the script. This could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been fixed in OpenSSL versions 1.0.2zf, 1.1.1p, and 3.0.4. Users are strongly recommended to upgrade to these versions or later. Additionally, the use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool (OpenSSL Advisory).