PatchSiren cyber security CVE debrief
CVE-2022-4450 Hitachi Energy CVE debrief
CVE-2022-4450, as published in the 2025-02-25 CISA advisory for Hitachi Energy PCU400, describes an OpenSSL PEM parsing flaw that can leave a freed header buffer reachable after a failed parse. If a caller frees that buffer again, a double free can occur, most likely crashing the process. In the supplied advisory, the impact is denial of service, and the issue is relevant to affected PCU400 and PCULogger versions when they process PEM content from untrusted or malicious sources.
- Vendor
- Hitachi Energy
- Product
- PCU400
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
Operators, maintainers, and integrators using Hitachi Energy PCU400 or PCULogger should care most, especially if deployments use IEC62351-3 secure workflows or accept PEM files from external or less-trusted sources. Availability-sensitive ICS environments should prioritize this because the flaw can crash parsing components.
Technical summary
The advisory maps CVE-2022-4450 to a double-free condition in OpenSSL's PEM_read_bio_ex() path. A PEM file with zero bytes of payload can cause the function to fail while leaving the header argument pointing to already-freed memory; if the caller then frees it, a double free occurs. The record states that PEM_read_bio() and PEM_read() wrappers, as well as indirect callers such as PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file(), are affected in contexts where they free the returned header on failure. For Hitachi Energy, the affected products listed are PCU400 versions 6.5 K and below, PCU400 versions 9.4.1 and below, and PCULogger versions 1.1.0 and below. The supplied CVSS vector is 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
High — prioritize patching where these products may parse untrusted PEM files or support external import paths, because the documented outcome is process crash and service disruption.
Recommended defensive actions
- Upgrade PCU400 versions 6.5 K and below to version 6.6.0 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- Upgrade PCU400 versions 9.4.1 and below to version 9.4.2 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- For PCULogger versions 1.1.0 and below, plan migration to version 1.2.0 when available; the advisory says it is compatible with PCU400 9.4.2 and later.
- Restrict and validate any workflow that accepts PEM files from untrusted sources, and monitor affected systems for crashes or abnormal restarts while remediation is underway.
- Apply CISA ICS recommended practices to reduce exposure and improve resilience in industrial environments.
Evidence notes
The source corpus is the CISA CSAF advisory ICSA-25-065-01 for Hitachi Energy PCU400, published and modified on 2025-02-25, with the same date used for the supplied CVE record context. The advisory text attributes the issue to OpenSSL PEM parsing, describes the likely impact as a crash/denial of service, and lists PCU400 and PCULogger affected versions and remediations. The enrichment data marks the item as not KEV-listed in the supplied corpus.
Official resources
-
CVE-2022-4450 CVE record
CVE.org
-
CVE-2022-4450 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory ICSA-25-065-01 on 2025-02-25; the supplied enrichment does not list the issue in CISA KEV.