CVE-2022-1473 is a high-severity denial of service (DoS) vulnerability in OpenSSL versions 3.0.0, 3.0.1, and 3.0.2, fixed in version 3.0.3. The issue resides in the OPENSSL_LH_flush() function, which is responsible for emptying a hash table used internally by OpenSSL when decoding certificates or keys. Due to a bug, the function fails to properly reuse memory occupied by removed hash table entries. This causes memory usage to grow unboundedly in long-lived processes that periodically decode certificates or keys, such as TLS clients or servers configured for client certificate authentication. Over time, this memory leak can cause the process to consume excessive memory, potentially leading to termination by the operating system and resulting in a denial of service. Additionally, traversing the increasingly large empty hash table entries degrades performance further. Since this function was introduced in OpenSSL 3.0, older versions are unaffected. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires no privileges or user interaction and can be triggered remotely by sending crafted certificates or keys to the vulnerable process. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no impact on confidentiality or integrity, but high impact on availability. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-459 (Incomplete Cleanup).

European organizations running services that utilize OpenSSL 3.0.x versions (specifically 3.0.0 to 3.0.2) and that perform frequent certificate or key decoding in long-lived processes are at risk. This includes TLS servers configured for client certificate authentication and TLS clients that regularly decode certificates. The memory leak can cause service degradation and eventual crashes, leading to denial of service conditions. Critical infrastructure, financial institutions, healthcare providers, and government agencies relying on OpenSSL 3.0 for secure communications could face service interruptions, impacting business continuity and trust. The denial of service could be exploited remotely without authentication, increasing risk. Given the widespread use of OpenSSL in European IT environments, the impact could be significant if unpatched. However, the lack of known exploits and the requirement for specific usage patterns somewhat limit immediate widespread exploitation. Still, organizations with high availability requirements must prioritize remediation to avoid potential outages.

Organizations should immediately audit their environments to identify any systems running OpenSSL versions 3.0.0, 3.0.1, or 3.0.2. Upgrading to OpenSSL 3.0.3 or later is the primary and most effective mitigation. For systems where immediate upgrade is not feasible, consider the following: limit or avoid configurations that require frequent certificate or key decoding in long-lived processes, especially client certificate authentication on TLS servers; implement resource monitoring and alerting for abnormal memory usage in relevant processes; employ process restart or recycling strategies to mitigate memory exhaustion; isolate vulnerable services behind load balancers or failover mechanisms to maintain availability; and apply strict network controls to limit exposure of vulnerable services. Additionally, review application code that interacts with OpenSSL to minimize unnecessary certificate/key decoding operations. Regularly monitor vendor advisories for any updates or patches related to this vulnerability.