CVE-2022-1343 Overview
CVE-2022-1343 is a Certificate Validation Bypass vulnerability in OpenSSL's OCSP_basic_verify function. The function is designed to verify the signer certificate on an OCSP (Online Certificate Status Protocol) response. However, when the non-default OCSP_NOCHECKS flag is used, the function incorrectly returns a positive result (indicating successful verification) even when the response signing certificate fails to verify. This allows attackers to potentially bypass certificate validation checks in applications that rely on this function with the vulnerable flag.
Critical Impact
Applications using OpenSSL's OCSP_basic_verify with the OCSP_NOCHECKS flag may accept invalid or malicious certificates as valid, potentially enabling man-in-the-middle attacks or trust chain bypasses.
Affected Products
- OpenSSL 3.0.0, 3.0.1, 3.0.2
- NetApp Active IQ Unified Manager
- NetApp Clustered Data ONTAP
- NetApp Clustered Data ONTAP Antivirus Connector
- NetApp SAN/NAS Storage Appliances (AFF and FAS series)
- NetApp HCI Storage Nodes (H300, H500, H700 series)
Discovery Timeline
- May 3, 2022 - CVE-2022-1343 published to NVD
- May 5, 2025 - Last updated in NVD database
Technical Details for CVE-2022-1343
Vulnerability Analysis
The vulnerability exists within the OCSP_basic_verify function in OpenSSL's OCSP implementation. Under normal circumstances, when certificate verification fails, the function should return 0 to indicate a failed verification. However, when the OCSP_NOCHECKS flag is passed to the function, the logic incorrectly bypasses the proper error handling, returning a positive value that indicates successful verification even when the signing certificate is invalid or untrusted.
This issue also affects the OpenSSL command-line ocsp application. When using the -no_cert_checks option to verify an OCSP response, the application reports successful verification despite the underlying failure. The output presents contradictory information—error messages indicating the failure alongside a result claiming success.
It is important to note that the OCSP_NOCHECKS flag is not used by default, which limits the immediate impact of this vulnerability. However, applications that explicitly enable this flag for specific use cases are at risk of accepting improperly validated certificates.
Root Cause
The root cause of this vulnerability is improper error handling in the OCSP_basic_verify function when the OCSP_NOCHECKS flag is set. The code path that processes this flag fails to properly propagate certificate verification failures to the caller, instead returning a success status. This represents a CWE-295 (Improper Certificate Validation) weakness where the certificate validation logic does not adequately enforce the security requirements.
Attack Vector
An attacker could exploit this vulnerability in scenarios where:
- The target application uses OpenSSL's OCSP_basic_verify function with the OCSP_NOCHECKS flag enabled
- The attacker can present a malicious OCSP response with an invalid or forged signing certificate
- Due to the vulnerability, the application incorrectly trusts the malicious response as valid
This could enable various attack scenarios including certificate status manipulation, where an attacker could make a revoked certificate appear valid or cause denial of service by making valid certificates appear revoked.
The vulnerability is exploitable over the network without requiring authentication or user interaction, though its impact is limited to integrity violations rather than full system compromise.
Detection Methods for CVE-2022-1343
Indicators of Compromise
- Applications or services using OpenSSL versions 3.0.0, 3.0.1, or 3.0.2 with OCSP verification enabled
- Log entries from the OpenSSL ocsp command showing contradictory verification messages alongside success results
- Unusual certificate validation behaviors where revoked or invalid certificates are being accepted
Detection Strategies
- Audit application code for usage of OCSP_basic_verify function with the OCSP_NOCHECKS flag
- Review system logs for error messages related to OCSP certificate verification failures that do not result in connection termination
- Monitor for applications making OCSP requests that subsequently accept connections with certificates that should have been rejected
- Use vulnerability scanning tools to identify systems running affected OpenSSL versions
Monitoring Recommendations
- Implement version tracking for all OpenSSL library instances across the infrastructure
- Configure centralized logging to capture certificate validation events and OCSP response processing
- Set up alerts for certificate validation anomalies where error messages don't match the final validation outcome
- Monitor network traffic for OCSP requests to identify systems that may be using the vulnerable verification path
How to Mitigate CVE-2022-1343
Immediate Actions Required
- Upgrade OpenSSL to version 3.0.3 or later immediately
- Audit applications that use the OCSP_basic_verify function to identify if OCSP_NOCHECKS flag is being used
- If using the OpenSSL ocsp command-line tool, avoid the -no_cert_checks option until patched
- Review and update any NetApp products to vendor-recommended firmware versions as per the NetApp Security Advisory
Patch Information
OpenSSL has released version 3.0.3 which contains the fix for this vulnerability. The patch ensures that OCSP_basic_verify correctly returns a negative value (indicating a fatal error) when certificate verification fails, regardless of whether the OCSP_NOCHECKS flag is used. Administrators should upgrade to OpenSSL 3.0.3 or later as described in the OpenSSL Security Announcement.
For affected NetApp products, consult the vendor-specific advisories:
Workarounds
- Remove usage of the OCSP_NOCHECKS flag from application code if present—this is the most effective workaround
- Avoid using the -no_cert_checks option with the OpenSSL ocsp command-line tool
- Implement additional certificate validation checks in application logic as a defense-in-depth measure
- Consider temporarily disabling OCSP stapling or checking until patched versions can be deployed
# Check OpenSSL version to determine if affected
openssl version
# Example: Upgrade OpenSSL on Debian/Ubuntu systems
sudo apt-get update
sudo apt-get install --only-upgrade openssl
# Verify the upgraded version (should be 3.0.3 or later)
openssl version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
