CVE-2022-4450: 
Rust vulnerability analysis and mitigation

A double-free vulnerability (CVE-2022-4450) was discovered in OpenSSL's PEMreadbio_ex function. The vulnerability affects OpenSSL versions 3.0 and 1.1.1, and was disclosed on February 7, 2023. The issue occurs in the PEM file parsing functionality, specifically when processing files with zero bytes of payload data (OpenSSL Advisory).

The vulnerability exists in the PEMreadbioex() function which reads a PEM file from a BIO and parses and decodes the 'name', header data, and payload data. When processing a PEM file with 0 bytes of payload data, the function returns a failure code but populates the header argument with a pointer to an already freed buffer. If the caller then frees this buffer, a double free occurs. This issue also affects wrapper functions PEMreadbio() and PEMread(), as well as other OpenSSL functions including PEMX509INFOreadbioex() and SSLCTXuseserverinfo_file(). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) (NVD).

The exploitation of this vulnerability most likely leads to a crash, potentially enabling attackers to achieve a denial of service attack. The vulnerability affects applications that have the ability to process untrusted PEM files (OpenSSL Advisory).

OpenSSL has released patches to address this vulnerability. Users of OpenSSL 3.0 should upgrade to version 3.0.8, and users of OpenSSL 1.1.1 should upgrade to version 1.1.1t. OpenSSL 1.0.2 is not affected by this issue. The fix involves clearing the pointers stored in header and data parameters when freeing the buffers (OpenSSL Advisory, OpenSSL Patch).