CVE-2022-2097 - Vulnerability Details

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Debian	Debian Linux
Fedoraproject	Fedora
Netapp	Active Iq Unified Manager Active Iq Unified Manager For Vmware Vsphere Brocade Fabric Operating System Firmware Clustered Data Ontap Antivirus Connector H300s Firmware H410c H410c Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Hci Baseboard Management Controller Oncommand Insight Ontap Antivirus Connector Ontap Select Deploy Administration Utility Smi-s Provider Snapcenter
Openssl	Openssl
Redhat	Enterprise Linux
Siemens	Sinec Ins

Configuration 1 [-]

OR	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl::::::::

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*

Configuration 4 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 9 [-]

OR	cpe:2.3:a:siemens:sinec_ins::::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:-::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp1::::::
	cpe:2.3:a:siemens:sinec_ins:1.0:sp2::::::

Configuration 10 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
openssl-1:1.1.1k-7.el8_6	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:5818	2022-08-03T00:00:00Z
Red Hat Enterprise Linux 9
openssl-1:3.0.1-41.el9_0	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:6224	2022-08-30T00:00:00Z
openssl-1:3.0.1-41.el9_0	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:6224	2022-08-30T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=919925673d6c9cfed3c1085497f5dfbbed5fc431
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a98f339ddd7e8f487d6e0088d4a9a42324885a93
https://lists.debian.org/debian-lts-announce/2023/02/msg00019.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6CK57NBQFTPUMXAPJURCGXUYT76NQAK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6567JERRHHJW2GNGJGKDRNHR7SNPZK7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/
https://nvd.nist.gov/vuln/detail/CVE-2022-2097
https://security.gentoo.org/glsa/202210-02
https://security.netapp.com/advisory/ntap-20220715-0011/
https://security.netapp.com/advisory/ntap-20230420-0008/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.cve.org/CVERecord?id=CVE-2022-2097
https://www.debian.org/security/2023/dsa-5343
https://www.openssl.org/news/secadv/20220705.txt

History

Thu, 26 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Netapp active Iq Unified Manager For Vmware Vsphere Netapp brocade Fabric Operating System Firmware Netapp hci Baseboard Management Controller Netapp oncommand Insight Netapp ontap Antivirus Connector Netapp ontap Select Deploy Administration Utility Netapp smi-s Provider Netapp snapcenter
CPEs		cpe:2.3:a:netapp:active_iq_unified_manager_for_vmware_vsphere:::::::: cpe:2.3:a:netapp:hci_baseboard_management_controller:h300s:::::::* cpe:2.3:a:netapp:hci_baseboard_management_controller:h410c:::::::* cpe:2.3:a:netapp:hci_baseboard_management_controller:h410s:::::::* cpe:2.3:a:netapp:hci_baseboard_management_controller:h500s:::::::* cpe:2.3:a:netapp:hci_baseboard_management_controller:h700s:::::::* cpe:2.3:a:netapp:oncommand_insight:::::::: cpe:2.3:a:netapp:ontap_antivirus_connector:::::::: cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:::::::: cpe:2.3:a:netapp:smi-s_provider:::::::: cpe:2.3:a:netapp:snapcenter:::::::: cpe:2.3:a:openssl:openssl:1.1.1:::::::* cpe:2.3:a:openssl:openssl:3.0.0:::::::* cpe:2.3:o:netapp:brocade_fabric_operating_system_firmware::::::::
Vendors & Products		Netapp active Iq Unified Manager For Vmware Vsphere Netapp brocade Fabric Operating System Firmware Netapp hci Baseboard Management Controller Netapp oncommand Insight Netapp ontap Antivirus Connector Netapp ontap Select Deploy Administration Utility Netapp smi-s Provider Netapp snapcenter
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2022-07-05T10:30:13.658Z

Updated: 2024-09-17T01:06:49.390Z

Reserved: 2022-06-16T00:00:00.000Z

Link: CVE-2022-2097

Vulnrichment

Updated: 2024-08-03T00:24:44.189Z

NVD

Status : Modified

Published: 2022-07-05T11:15:08.340

Modified: 2024-11-21T07:00:18.757

Link: CVE-2022-2097

Redhat

Severity : Moderate

Publid Date: 2022-07-05T00:00:00Z

Links: CVE-2022-2097 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object