This document describes the position of Product Sustaining relative to the support of a branded application.
Overview
This document addresses concerns about the TIE Server and the vulnerability listed below.
Description
CVE-2022-0778:
In the OpenSSL 1.0.2 version, the public key isn't parsed during initial parsing of the certificate, which makes it slightly harder to trigger the infinite loop.
But, any operation that requires the public key from the certificate triggers the infinite loop.
National Vulnerability Database: CVE-2022-0778
Research and Conclusions
The TIE Server engineering team has reviewed the vulnerability CVE-2022-0778 and determined that it applies to the TIE Server.
Resolution
Upgrade OpenSSL to
openssl-libs-1.0.2zd-1:
- Open a command-line session as administrator on the TIE Server.
- Download the following RPM packages and place them on the TIE Server:
RPM openssl-1.0.2zd-1.mlos2.x86_64
RPM openssl-libs-1.0.2zd-1.mlos2.x86_64
- View the currentOpenSSL library version installed with the following command:
rpm -qa | grep -i openssl
- Upgrade the TIE Server to OpenSSL 1.0.2zd-1:
rpm -Uvh openssl-1.0.2zd-1.mlos2.x86_64.rpm openssl-libs-1.0.2zd-1.mlos2.x86_64.rpm
- Verify that the OpenSSL version 1.0.2zd-1 is installed correctly:
rpm -qa | grep -i openssl
- Restart the TIE Server:
service tieserver restart
