CVE-2022-3996
X.509 Policy Constraints Double Locking
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
We have discovered 19,072 live websites that are affected by CVE-2022-3996.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 30 |
| Vulnerable Domains | 19,072 live websites (1.75% of OpenSSL install base) |
Details
- Published - Dec 13, 2022
- Updated - Mar 31, 2023
Credits
- Polar Bear (finder)
- Paul Dale (remediation developer)
CWE
CVE References
CWE References
Countries
 United States | 4,956 websites |
 Germany | 2,436 websites |
 France | 1,611 websites |
 Japan | 1,030 websites |
 GB | 864 websites |
 Finland | 803 websites |
 Czech Republic | 711 websites |
 Italy | 675 websites |
 Hungary | 521 websites |
 Canada | 473 websites |
TLDs
| .com | 5,688 websites |
| .de | 1,651 websites |
| .org | 1,053 websites |
| .edu | 962 websites |
| .net | 915 websites |
| .fr | 780 websites |
| .fi | 661 websites |
| .cz | 568 websites |
| .it | 496 websites |
| .co.uk | 489 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.openssl.org/news/secadv/20221213.txt
- https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
Websites affected by CVE-2022-3996
Top websites that are affected by CVE-2022-3996. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.org | United States | *,*** | |
| ***.******.org | United States | *,*** | |
| ****.******.org | United States | *,*** | |
| ****.org | United States | *,*** | |
| ***.****.org | United States | *,*** | |
| ***.net |  Singapore | *,*** | |
| ********.org | Germany | *,*** | |
| ********.edu | United States | **,*** | |
| **********.******.com | United States | **,*** | |
| ***.********.be |  Belgium | **,*** |