NVD - CVE-2022-2097 (original) (raw)
CVE-2022-2097 Detail
Description
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
N/A
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: 5.0 MEDIUM
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | NIST |
Known Affected Software Configurations Switch to CPE 2.2
CPEs loading, please wait.
Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.
Change History
20 change records found show changes
CVE Modified by CISA-ADP 6/17/2026 12:41:16 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | Record truncated, showing 2048 of 3353 characters. View Entire Change Record [{"vendor":"openssl","product":"openssl","defaultStatus":"unknown","cpes":["cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*"],"versions":[{"version":"1.1.1","lessThan":"1.1.1q","versionType":"custom","status":"affected"}]},{"vendor":"openssl","product":"openssl","defaultStatus":"unknown","cpes":["cpe:2.3:a:openssl:openssl:3.0.0:*:*:*:*:*:*:*"],"versions":[{"version":"3.0.0","lessThan":"3.0.5","versionType":"custom","status":"affected"}]},{"vendor":"netapp","product":"ontap_antivirus_connector","defaultStatus":"unknown","cpes":["cpe:2.3:a:netapp:ontap_antivirus_connector:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","status":"affected"}]},{"vendor":"netapp","product":"ontap_select_deploy_administration_utility","defaultStatus":"unknown","cpes":["cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","status":"affected"}]},{"vendor":"fedoraproject","product":"fedora","defaultStatus":"unknown","cpes":["cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*"],"versions":[{"version":"35","status":"affected"},{"version":"36","status":"affected"}]},{"vendor":"netapp","product":"active_iq_unified_manager_for_vmware_vsphere","defaultStatus":"unknown","cpes":["cpe:2.3:a:netapp:active_iq_unified_manager_for_vmware_vsphere:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","status":"affected"}]},{"vendor":"netapp","product":"hci_baseboard_management_controller","defaultStatus":"unknown","cpes":["cpe:2.3:a:netapp:hci_baseboard_management_controller:h300s:*:*:*:*:*:*:*","cpe:2.3:a:netapp:hci_baseboard_management_controller:h410c:*:*:*:*:*:*:*","cpe:2.3:a:netapp:hci_baseboard_management_controller:h410s:*:*:*:*:*:*:*","cpe:2.3:a:netapp:hci_baseboard_management_controller:h500s:*:*:*:*:*:*:*","cpe:2.3:a:netapp:hci_baseboard_management_controller:h700s:*:*:*:*:*:*:*"],"versions":[{"version":"h300s","status":"affected"},{"version":"h410c","status":"affected"},{"version":"h410s","status":"affected"},{"version":"h500s","status":"affected"},{"version" | |
| Added | SSVC | {"timestamp":"2024-07-26T19:45:07.166681Z","id":"CVE-2022-2097","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"} |
CVE Modified by OpenSSL Software Foundation 6/17/2026 12:41:16 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Affected | [{"vendor":"OpenSSL","product":"OpenSSL","versions":[{"version":"Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4)","status":"affected"},{"version":"Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p)","status":"affected"}]}] |
CVE Modified by CVE 11/21/2024 2:00:18 AM
CVE Modified by OpenSSL Software Foundation 6/21/2024 3:15:23 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | OpenSSL Software Foundation https://security.netapp.com/advisory/ntap-20240621-0006/ [No types assigned] |
CVE Modified by OpenSSL Software Foundation 5/14/2024 6:30:58 AM
| Action | Type | Old Value | New Value |
|---|
CVE Modified by OpenSSL Software Foundation 11/06/2023 10:46:13 PM
CWE Remap by NIST 8/08/2023 10:22:24 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | CWE | CWE-326 | CWE-327 |
CVE Modified by OpenSSL Software Foundation 4/20/2023 5:15:08 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://security.netapp.com/advisory/ntap-20230420-0008/ [No Types Assigned] |
Modified Analysis by NIST 2/23/2023 11:14:24 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:* versions up to (excluding) 1.0 *cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:* *cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:* *cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:* | |
| Added | CPE Configuration | OR *cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | |
| Changed | Reference Type | https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf No Types Assigned | https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf Third Party Advisory |
| Changed | Reference Type | https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html No Types Assigned | https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html Mailing List, Third Party Advisory |
| Changed | Reference Type | https://www.debian.org/security/2023/dsa-5343 No Types Assigned | https://www.debian.org/security/2023/dsa-5343 Third Party Advisory |
CVE Modified by OpenSSL Software Foundation 2/20/2023 8:15:10 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html [No Types Assigned] |
CVE Modified by OpenSSL Software Foundation 2/08/2023 7:15:23 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://www.debian.org/security/2023/dsa-5343 [No Types Assigned] |
CVE Modified by OpenSSL Software Foundation 1/10/2023 8:15:14 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf [No Types Assigned] |
Modified Analysis by NIST 10/28/2022 4:40:22 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | Reference Type | https://security.gentoo.org/glsa/202210-02 No Types Assigned | https://security.gentoo.org/glsa/202210-02 Third Party Advisory |
CVE Modified by OpenSSL Software Foundation 10/16/2022 1:15:17 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://security.gentoo.org/glsa/202210-02 [No Types Assigned] |
Modified Analysis by NIST 8/26/2022 2:03:15 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | NIST AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | |
| Removed | CVSS V3.1 | NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| Changed | CPE Configuration | OR *cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | OR *cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* *cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| Added | CPE Configuration | AND OR *cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* | |
| Added | CPE Configuration | AND OR *cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:* | |
| Added | CPE Configuration | AND OR *cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* | |
| Added | CPE Configuration | AND OR *cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* | |
| Added | CPE Configuration | AND OR *cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* | |
| Added | CPE Configuration | OR *cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* *cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:* | |
| Changed | Reference Type | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/ No Types Assigned | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/ Mailing List, Third Party Advisory |
| Changed | Reference Type | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/ No Types Assigned | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/ Mailing List, Third Party Advisory |
| Changed | Reference Type | https://security.netapp.com/advisory/ntap-20220715-0011/ No Types Assigned | https://security.netapp.com/advisory/ntap-20220715-0011/ Third Party Advisory |
CVE Modified by OpenSSL Software Foundation 7/23/2022 12:15:18 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/ [No Types Assigned] |
CVE Modified by OpenSSL Software Foundation 7/15/2022 12:15:11 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://security.netapp.com/advisory/ntap-20220715-0011/ [No Types Assigned] |
CVE Modified by OpenSSL Software Foundation 7/14/2022 11:15:08 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/ [No Types Assigned] |
Initial Analysis by NIST 7/14/2022 6:05:21 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| Added | CVSS V2 | NIST (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |
| Added | CWE | NIST CWE-326 | |
| Added | CPE Configuration | OR *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (excluding) 1.1.1q *cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (excluding) 3.0.5 | |
| Added | CPE Configuration | OR *cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | |
| Changed | Reference Type | https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431 No Types Assigned | https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=919925673d6c9cfed3c1085497f5dfbbed5fc431 Mailing List, Patch, Vendor Advisory |
| Changed | Reference Type | https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93 No Types Assigned | https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a98f339ddd7e8f487d6e0088d4a9a42324885a93 Mailing List, Patch, Vendor Advisory |
| Changed | Reference Type | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/ No Types Assigned | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/ Mailing List, Third Party Advisory |
| Changed | Reference Type | https://www.openssl.org/news/secadv/20220705.txt No Types Assigned | https://www.openssl.org/news/secadv/20220705.txt Vendor Advisory |
CVE Modified by OpenSSL Software Foundation 7/09/2022 12:15:11 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.fedoraproject.org/archives/list/[\[email protected]](/cdn-cgi/l/email-protection)/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/ [No Types Assigned] |
Quick Info
CVE Dictionary Entry:
CVE-2022-2097
NVD Published Date:
07/05/2022
NVD Last Modified:
06/17/2026
Source:
OpenSSL Software Foundation