What is CVE-2022-3358?

A high-severity vulnerability in OpenSSL affects versions 3.0.0 to 3.0.5, potentially allowing attackers to exploit custom ciphers. Immediate patching is recommended.

What is the severity of CVE-2022-3358?

CVE-2022-3358 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2022-3358 | High Vulnerability in OpenSSL

OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions).

Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However, it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new().

When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext.

Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5).

Risk to organizations includes unauthorized access to sensitive data due to improper handling of encryption keys, leading to potential data leaks and compliance issues. Organizations should prioritize patching immediately.

Vulnerability Details

The OpenSSL vulnerability CVE-2022-3358 is classified as high severity with a CVSS score of 7.5. It affects OpenSSL versions 3.0.0 to 3.0.5 and allows the misuse of custom ciphers due to incorrect handling of legacy support. The vulnerability is categorized under CWE-476, which relates to NULL Pointer Dereferences.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of the NID parameter passed to the EVP_CIPHER_meth_new() function. If an application erroneously uses NID_undef, the encryption functions will match the NULL cipher, leading to plaintext being emitted as ciphertext. This vulnerability has a network attack vector with low complexity and requires no privileges or user interaction.

Risk & Impact Analysis

Organizations using affected versions of OpenSSL are at significant risk of unauthorized data exposure. The potential blast radius includes any application relying on the vulnerable versions for cryptographic functions. Given the nature of this vulnerability, organizations should assess their exposure and prioritize remediation based on the CVSS score and the potential impacts identified.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of OpenSSL from 3.0.0 to 3.0.5 are affected by this vulnerability. The issue has been addressed in version 3.0.6.

Mitigation & Remediation

Organizations should upgrade to OpenSSL version 3.0.6 or later to mitigate this vulnerability. In cases where immediate upgrading is not possible, a thorough review of the application logic should be conducted to ensure that NID_undef is not being used in calls to EVP_CIPHER_meth_new(). Additionally, security testing processes should be enhanced to validate cryptographic implementations.

Detection Guidance

Monitoring for logs that indicate the use of NID_undef in cipher initializations is critical. Applications should be audited for cryptographic function calls to ensure compliance with security best practices.

AppSecure Threat Intelligence Insight

The presence of this vulnerability underscores the importance of adhering to the latest cryptographic standards and practices. Security teams are advised to conduct regular audits and maintain updated libraries to minimize exposure to vulnerabilities. For further guidance, organizations may benefit from engaging in penetration testing and continuous security assessments.

Organizations should stay informed about emerging threats and vulnerabilities, leveraging resources such as the vulnerability management program to enhance their defensive posture.

Additionally, understanding the implications of these vulnerabilities can drive the implementation of penetration testing methodologies that effectively identify and mitigate risks.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-3358: High Vulnerability in OpenSSL