Skip to content

Denial of Service Vulnerability in Several Versions of OpenSSL

Updated  by hvuser
  • PDF
  • Print
  • Copy To Clipboard
  • Collapse All Expand All

Content

Priority: High

Status: In Progress - Monitoring

 

First Published: 2022 March 28

Advisory Version: 1.2

References: CVE-2022-0778

 

Summary

OpenSSL versions 1.0.2 to 1.0.2zc, 1.1.1 to 1.1.1m, 3.0.0, and 3.0.1 contain a vulnerability that could allow a denial of service (DoS) attack. The vulnerability lies in a specific function used to parse certificates containing "elliptic curve" public keys in compressed form, or explicit elliptic curve parameters with a base point encoded in compressed form. Using malicious input, an attacker could cause the function to enter an infinite loop.

This vulnerability has since been fixed in the following versions of OpenSSL:

· OpenSSL 1.0.2zd and later
· OpenSSL 1.1.1n and later
· OpenSSL 3.0.2 and later

Please refer to the following resource for additional information regarding this vulnerability:

· Official Mitre entry for CVE-2022-0778

 

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.

Product Fixed Release Version
Storage Systems
Hitachi Virtual Storage Platform VSP 5100,  VSP 5100H,  VSP 5500, VSP 5500H
(VSP 5x00) RAID 900

[NOTE: indicated systems are not affected if CCI using DTLS is not used.]
Fixed in storage microcode version 90-08-42, now available
 
Hitachi Virtual Storage Platform VSP 5200,  VSP 5200H,  VSP 5600, VSP 5600H
(VSP 5x00) RAID 900

[NOTE: indicated systems are not affected if CCI using DTLS is not used.]
Fixed in storage microcode version 90-08-42, now available
Content Systems
Content Platform Affected version of OpenSSL is used. Targeted for 9.3.6 release.
HCP for Cloud Scale Affected version of OpenSSL is used. Remediation is under investigation.
Content Intelligence Affected version of OpenSSL is used. Remediation is under investigation.
Data Protector Affected version of OpenSSL is used. Will be addressed in Protector 7.5.
Software Products
Ops Center Analyzer / Analyzer Viewpoint

Fixed in Hitachi Ops Center Analyzer 10.8.3-00 (already released), and Hitachi Ops Center Analyzer viewpoint 10.8.3-00 (already released).

Please see Alert A2022080406.

HCM / Configuration Manager Fixed in HCM 10.8.2-00 (already released), and Hitachi Ops Center API Configuration Manager 10.8.2-00 (already released).

Please see Alert A2022072601.
Ops Center API Configuration Manager Fixed in HCM 10.8.2-00 (already released), and Hitachi Ops Center API Configuration Manager 10.8.2-00 (already released).

Please see Alert A2022072601.
HDvM Server Affected only if no-longer-supported Vantara midrange storage models (HUS100, Hitachi AMS2000, Hitachi SMS, and Hitachi AMS/WMS) are administered in the management tool. Otherwise, HDvM Server os not affected.

If such storage is being managed, please delete them from the management target list in order to mitigate this vulnerability.
HTnM Agent for RAID Affected only if no-longer-supported Vantara midrange storage models (HUS100, Hitachi AMS2000, Hitachi SMS, and Hitachi AMS/WMS) are administered in the management tool. Otherwise, HDvM Server is not affected.

If such storage is being managed, please delete them from the management target list to mitigate this vulnerability.
HIAA Probe / Ops Center Analyzer Probe for AMS Affected only if Hitachi Adaptable Modular Storage (AMS) probe is used for performance monitoring of no-longer-supported Vantara midrange HUS110, HUS130, and HUS150 storage models. Otherwise, not affected.
 

If the AMS probe is being used to monitor the aforementioned, please stop using it and delete it to mitigate this vulnerability.

Products Confirmed Not Vulnerable

* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk

Product Notes / Fixed Release Version
Network Attached Storage
HNAS 5000 Series Not affected
HNAS 4000 Series Not affected
HNAS 30x0 Series Not affected
Content Products
Content Platform Anywhere Affected versions of OpenSSL are not used
Content Platform S Series Affected versions of OpenSSL are not used
Software Products
Ops Center Automator Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HSA / Storage Administrator Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HDvM Agent / Device Manager Agent Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HDvM HDC / Device Manager Host Data Collection Not affected; OpenSSL is not used.
HRpM / Replication Manager Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HTSM / Tiered Storage Manager Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HGLM / Global Link Manager Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HDLM / Dynamic Link Manager Not affected; OpenSSL is not used.
HTnM / Tuning Manager / HTNM Agent for NAS Not affected; OpenSSL is not used.
HCSM / Compute Systems Manager Not affected; OpenSSL is not used.
HAD / Automation Director Not affected; OpenSSL is not used.
HIAA / Infrastructure Analytics Advisor (Server) Not affected; implemented version of OpenSSL does not meet the conditions of occurrence for this vulnerability.
HIAA / Infrastructure Analytics Advisor (DCA, Windows Probe, RAID Agent) Not affected; OpenSSL is not used.

 

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

 

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Internal Only