CVE-2022-3358: 
Rust vulnerability analysis and mitigation

OpenSSL versions 3.0.0 to 3.0.5 contain a vulnerability (CVE-2022-3358) related to incorrect handling of legacy custom ciphers. The vulnerability was discovered on August 9, 2022, by Chris Rapier of the Pittsburgh Supercomputing Center and was publicly disclosed on October 11, 2022. The issue affects applications that use the legacy EVPCIPHERmethnew() function with NIDundef parameter in OpenSSL 3.0.0-3.0.5, while OpenSSL 1.1.1 and 1.0.2 are not affected (OpenSSL Advisory).

The vulnerability occurs when applications use the deprecated EVPCIPHERmethnew() function with NIDundef parameter in encryption/decryption initialization functions (EVPEncryptInitex2(), EVPDecryptInitex2(), and EVPCipherInitex2()). Instead of using the custom cipher directly, OpenSSL incorrectly attempts to fetch an equivalent cipher based on the NID, resulting in the use of a NULL cipher that outputs plaintext as ciphertext. The vulnerability has been assigned a severity rating of Low by OpenSSL (OpenSSL Advisory).

When successfully exploited, this vulnerability could lead to disclosure of sensitive information as the NULL cipher causes plaintext to be output as ciphertext. However, the impact is limited to applications that specifically call EVPCIPHERmethnew() using NIDundef and subsequently use it in encryption/decryption initialization functions. Applications that only use SSL/TLS are not impacted by this issue (OpenSSL Advisory, NetApp Advisory).

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.6 or later to address this vulnerability. Application authors are encouraged to use the new provider mechanism instead of the legacy EVPCIPHERmeth_new() function for implementing custom ciphers. No workarounds are available for this vulnerability (OpenSSL Advisory).