CVE-2022-22423

Vulnerability

IBM Common Cryptographic Architecture (CCA) versions 5.0.0 through 5.7.11 for the IBM 4767 HSM and versions 7.0.0 through 7.3.43 for the IBM 4769 HSM contain an improper input validation vulnerability [1]. This flaw allows specially-crafted requests to force the affected HSM into a check-stop condition.

Exploitation

A local user with low privileges can exploit this vulnerability by sending specially-crafted requests to the HSM [1]. No user interaction is required, and the attack can be performed with minimal complexity.

Impact

Successful exploitation results in a denial of service, causing the HSM to enter a check-stop state that disrupts cryptographic operations. The availability impact is high, while confidentiality and integrity are not affected. Recovery from a check-stop condition requires manual intervention [1].

Mitigation

IBM has released fixed versions: CCA 5.7.12 or later for the 4767 HSM, and CCA 7.3.44 or later for the 4769 HSM [1]. Users should upgrade to these versions to remediate the vulnerability. Platform-specific updates are available for AIX, IBM i, Linux, and other supported platforms.