OpenSSL Infinite Loop When Parsing Certificates

OpenSSL recently released CVE-2022-0778.

The denial-of-service vulnerability in OpenSSL is triggered when a specially crafted certificate with invalid parameters is parsed by software using the OpenSSL library. 

Command Centre and Gallagher Controllers are built using OpenSSL libraries. Because certificate parsing occurs prior to verification of the certificate signature, an attacker does not require Gallagher-issued keys or certificates to exploit the vulnerability.

Command Centre and Controller software include patched versions of OpenSSL in versions:

vEL8.70.1509 (FR) and vCR8.70.220414a

vEL8.60.1811 (MR3) and vCR8.60.220414a

vEL8.50.2260 (MR5) and vCR8.50.220426a

vEL8.40.2223 (MR6) and vCR8.40.220426a

vEL8.30.1481 (MR6) and vCR8.30.220426a

Should you need any further information please contact our Security Technical Support team or your local Gallagher Representative.