A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
Red Hat Enterprise Linux uses a system-wide store of trusted certificates bundled in a single file and updated via update-ca-trust
. The c_rehash
script is not included in the default installation on any supported RHEL version and is never executed automatically. For these reasons, this flaw has been rated as having a security impact of Moderate.
Red Hat Enterprise Linux 7 provides a vulnerable version of the c_rehash
script in the openssl-perl
package, available only through the unsupported Optional repository. As the Optional repository is not supported and Red Hat Enterprise Linux 7 is in Maintenance Support 2 Phase, this issue is not planned to be addressed there.
Red Hat updates the OpenSSL compatibility packages (compat-openssl) to only address Important or Critical security issues with backported security patches.
As mentioned in the upstream security advisory, use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command-line tool.