Denial of Service Vulnerability in Several Versions of OpenSSL
Priority: ● High
Status: In Progress - Monitoring
First Published: 2022 March 28
Advisory Version: 1.2
References: CVE-2022-0778
Summary
OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1m, 3.0.0, and 3.0.1 contain a vulnerability that could allow a denial of service (DoS) attack. The vulnerability lies in a specific function used to parse certificates containing "elliptic curve" public keys in compressed form, or explicit elliptic curve parameters with a base point encoded in compressed form. Using malicious input, an attacker could cause the function to enter an infinite loop.
This vulnerability has since been fixed in the following versions of OpenSSL:
· OpenSSL 1.0.2zd and later
· OpenSSL 1.1.1n and later
· OpenSSL 3.0.2 and later
Please refer to the following resource for additional information regarding this vulnerability:
· Official Mitre entry for CVE-2022-0778
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Fixed Release Version |
| Storage Systems |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 [NOTE: indicated systems are not affected if CCI using DTLS is not used.] |
Fixed in storage microcode version 90-08-42, now available |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 [NOTE: indicated systems are not affected if CCI using DTLS is not used.] |
Fixed in storage microcode version 90-08-42, now available |
| Content Systems |
| Content Platform | Affected version of OpenSSL is used. Targeted for 9.3.6 release. |
| HCP for Cloud Scale | Affected version of OpenSSL is used. Remediation is under investigation. |
| Content Intelligence | Affected version of OpenSSL is used. Remediation is under investigation. |
| Data Protector | Affected version of OpenSSL is used. Will be addressed in Protector 7.5. |
| Software Products |
| Ops Center Analyzer / Analyzer Viewpoint |
Fixed in Hitachi Ops Center Analyzer 10.8.3-00 (already released), and Hitachi Ops Center Analyzer viewpoint 10.8.3-00 (already released). |
| HCM / Configuration Manager | Fixed in HCM 10.8.2-00 (already released), and Hitachi Ops Center API Configuration Manager 10.8.2-00 (already released). Please see Alert A2022072601. |
| Ops Center API Configuration Manager | Fixed in HCM 10.8.2-00 (already released), and Hitachi Ops Center API Configuration Manager 10.8.2-00 (already released). Please see Alert A2022072601. |
| HDvM Server | Affected only if no-longer-supported Vantara midrange storage models (HUS100, Hitachi AMS2000, Hitachi SMS, and Hitachi AMS/WMS) are administered in the management tool. Otherwise, HDvM Server os not affected. If such storage is being managed, please delete them from the management target list in order to mitigate this vulnerability. |
| HTnM Agent for RAID | Affected only if no-longer-supported Vantara midrange storage models (HUS100, Hitachi AMS2000, Hitachi SMS, and Hitachi AMS/WMS) are administered in the management tool. Otherwise, HDvM Server is not affected. If such storage is being managed, please delete them from the management target list to mitigate this vulnerability. |
| HIAA Probe / Ops Center Analyzer Probe for AMS | Affected only if Hitachi Adaptable Modular Storage (AMS) probe is used for performance monitoring of no-longer-supported Vantara midrange HUS110, HUS130, and HUS150 storage models. Otherwise, not affected. If the AMS probe is being used to monitor the aforementioned, please stop using it and delete it to mitigate this vulnerability. |
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk
| Product | Notes / Fixed Release Version |
| Network Attached Storage |
| HNAS 5000 Series | Not affected |
| HNAS 4000 Series | Not affected |
| HNAS 30x0 Series | Not affected |
| Content Products |
| Content Platform Anywhere | Affected versions of OpenSSL are not used |
| Content Platform S Series | Affected versions of OpenSSL are not used |
| Software Products |
| Ops Center Automator | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HSA / Storage Administrator | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HDvM Agent / Device Manager Agent | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HDvM HDC / Device Manager Host Data Collection | Not affected; OpenSSL is not used. |
| HRpM / Replication Manager | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HTSM / Tiered Storage Manager | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HGLM / Global Link Manager | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HDLM / Dynamic Link Manager | Not affected; OpenSSL is not used. |
| HTnM / Tuning Manager / HTNM Agent for NAS | Not affected; OpenSSL is not used. |
| HCSM / Compute Systems Manager | Not affected; OpenSSL is not used. |
| HAD / Automation Director | Not affected; OpenSSL is not used. |
| HIAA / Infrastructure Analytics Advisor (Server) | Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability. |
| HIAA / Infrastructure Analytics Advisor (DCA, Windows Probe, RAID Agent) | Not affected; OpenSSL is not used. |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.