OpenSSL Infinite Loop When Parsing Certificates
OpenSSL recently released CVE-2022-0778.
The denial-of-service vulnerability in OpenSSL is triggered when a specially crafted certificate with invalid parameters is parsed by software using the OpenSSL library.
Command Centre and Gallagher Controllers are built using OpenSSL libraries. Because certificate parsing occurs prior to verification of the certificate signature, an attacker does not require Gallagher-issued keys or certificates to exploit the vulnerability.
Command Centre and Controller software include patched versions of OpenSSL in versions:
vEL8.70.1509 (FR) and vCR8.70.220414a
vEL8.60.1811 (MR3) and vCR8.60.220414a
vEL8.50.2260 (MR5) and vCR8.50.220426a
vEL8.40.2223 (MR6) and vCR8.40.220426a
vEL8.30.1481 (MR6) and vCR8.30.220426a
Should you need any further information please contact our Security Technical Support team or your local Gallagher Representative.
Stay up to date with Gallagher
Get the latest Gallagher news, updates, and event information delivered straight to your inbox.