PublicDateAtUSN: 2022-03-18 18:15:00 UTC
Candidate: CVE-2022-0547
PublicDate: 2022-03-18 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547
 https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
 https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
 https://ubuntu.com/security/notices/USN-5347-1
Description:
 OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in
 external authentication plug-ins when more than one of them makes use of
 deferred authentication replies, which allows an external user to be
 granted access with only partially correct credentials.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008015
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_openvpn:
 upstream: https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee (v2.4.12)
 upstream: https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5 (v2.5.6)
upstream_openvpn: released (2.5.6-1)
trusty/esm_openvpn: needs-triage
esm-infra/xenial_openvpn: needs-triage
trusty_openvpn: ignored (out of standard support)
xenial_openvpn: ignored (out of standard support)
bionic_openvpn: released (2.4.4-2ubuntu1.7)
focal_openvpn: released (2.4.7-1ubuntu2.20.04.4)
impish_openvpn: released (2.5.1-3ubuntu1.1)
jammy_openvpn: released (2.5.5-1ubuntu3)
devel_openvpn: released (2.5.5-1ubuntu3)