High severityNVD Advisory· Published Nov 22, 2022· Updated Apr 29, 2025

CVE-2022-3500

Description

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper exception handling in Keylime allows a rogue agent to stop attestation for a host, leaving it in a falsely attested state.

Vulnerability

Overview

The vulnerability identified in CVE-2022-3500 affects keylime, an open-source trust system that uses TPM technology for remote attestation [2]. The issue arises from improperly handled exceptions in some circumstances [1]. When these exceptions occur, a rogue agent can create errors on the verifier component, effectively stopping attestation attempts for that host while the host remains in an attested state but is no longer being verified [3]. This means the verifier can be prevented from assessing the integrity of a target machine.

Exploitation

Path

An attacker controlling a rogue agent can exploit this flaw by triggering specific error conditions that are not properly caught and handled by the verifier [1]. The attack does not require sophisticated network positioning; the agent simply needs to communicate with the verifier as part of normal attestation flows [2]. No additional authentication bypass is needed because the agent is already a participant in the attestation process. The attacker's goal is to cause the verifier to stop performing attestation checks for that particular host.

Impact

Successfully exploiting this vulnerability allows a rogue agent to maintain an attestation state that indicates integrity while the verifier ceases to perform actual remote attestation verification [1][3]. This undermines the core trust guarantees that Keylime provides, as the system will report the host as attested even though its integrity is no longer being monitored. This could allow a compromised or malicious host to operate undetected within a trusted environment, potentially leading to further compromise.

Mitigation

Status

As of the publication date, the vulnerability has been addressed by the Keylime project. Users are advised to update to the latest version of keylime that contains the fix for this issue [4]. The Python-based agent is deprecated in favor of the Rust-based agent, which also offers improved security guarantees [2]. Administrators should ensure they are running a patched version and consider migrating to the Rust agent to reduce exposure to similar class of bugs.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keylimePyPI	< 6.5.1	6.5.1

Affected products

keylime/keylimedescription
ghsa-coords10 versions
pkg:pypi/keylime pkg:rpm/almalinux/keylime pkg:rpm/almalinux/keylime-base pkg:rpm/almalinux/keylime-registrar pkg:rpm/almalinux/keylime-selinux pkg:rpm/almalinux/keylime-tenant pkg:rpm/almalinux/keylime-verifier pkg:rpm/almalinux/python3-keylime pkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2015.4 pkg:rpm/suse/keylime&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
< 6.5.1+ 9 more
- (no CPE)range: < 6.5.1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.5.1-1.el9_1
- (no CPE)range: < 6.3.2-150400.4.14.1
- (no CPE)range: < 6.3.2-150400.4.14.1

Patches

f969d397f929

Fix proper exception handling and impedance match in `tornado_requests` (#1128)

https://github.com/keylime/keylimeGeorge AlmásiOct 10, 2022via ghsa

commit

1 file changed · +3 −2

keylime/tornado_requests.py+3 −2 modified

@@ -39,16 +39,17 @@ async def request(method, url, params=None, data=None, context=None, headers=Non
     except httpclient.HTTPError as e:
         if e.response is None:
             return TornadoResponse(500, str(e))
-
         return TornadoResponse(e.response.code, e.response.body)
     except ConnectionError as e:
         return TornadoResponse(599, f"Connection error: {str(e)}")
     except ssl.SSLError as e:
         return TornadoResponse(599, f"SSL connection error: {str(e)}")
     except OSError as e:
         return TornadoResponse(599, f"TCP/IP Connection error: {str(e)}")
+    except Exception as e:
+        return TornadoResponse(599, f"General communication failure: {str(e)}")
     if response is None:
-        return None
+        return TornadoResponse(599, "Unspecified failure in tornado (empty http response)")
     return TornadoResponse(response.code, response.body)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000