CVE-2022-0778 is a denial of service vulnerability in openssl, a component of CodeSonar.
If a CodeSonar hub is running in HTTPS mode, a malicious actor with network access to the hub can cause one hub worker process to go into an infinite loop by sending a crafted TLS client authentication request to the hub. The attacker might perform this process repeatedly to tie up all the hub processes. The hub can be restarted to remedy any stuck processes.
Since this is a denial of service vulnerability, the impact is limited. Attackers cannot steal data or execute arbitrary code using this attack vector. Since CodeSonar's EULA forbids placing CodeSonar hubs on the internet, the malicious actors would need to be on the customer's intranet. Evidence of the IP address originating the attack can be found in the hub's traffic.txt log.
We expect that in the near future, network testing tools such as Metasploit may begin testing for and triggering this issue. You might notice your hub using an abnormal amount of CPU cycles indefinitely if this occurs.
CodeSonar 7.0 will contain an upgraded version of openssl where this vulnerability has been fixed.