There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167867] Affects: fedora-37 [bug 2167874] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167868] Affects: fedora-37 [bug 2167875] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167869] Affects: fedora-37 [bug 2167876] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167870] Affects: fedora-37 [bug 2167877] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167865] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167866] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2167871] Affects: fedora-37 [bug 2167878] Created shim-unsigned-aarch64 tracking bugs for this issue: Affects: fedora-36 [bug 2167872] Affects: fedora-37 [bug 2167879] Created shim-unsigned-x64 tracking bugs for this issue: Affects: fedora-36 [bug 2167873] Affects: fedora-37 [bug 2167880]
Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you have concluded this from Security Advisory, but source code of openssl shows that vulnerable piece of code seems to be present. Have you verified the source code or concluded vulnerability status from security advisory? If you have verified the source code, could you please explain what exactly makes you think that openssl is not vulnerable?
(In reply to Nikita Ivanov from comment #9) > Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you > have concluded this from Security Advisory, but source code of openssl shows > that vulnerable piece of code seems to be present. Have you verified the > source code or concluded vulnerability status from security advisory? If you > have verified the source code, could you please explain what exactly makes > you think that openssl is not vulnerable? Hello Nikita, We are not fixing that on RHEL-6, because as per internal policies, RHEL-6 is out of support scope. And yes, It's vulnerable to this security flaw. Thanks
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946
Any plans to address it in RHEL8?
(In reply to Sandra Carney from comment #22) > Any plans to address it in RHEL8? RHSA-2023:109716 is already in Progress for RHEL-8. Thanks.
I checked the Errata don't see it. Is that because it hasn't been published, yet. Are you targeting RHEL8 with the fix?
Sorry, I meant RHEL 8.8
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1335 https://access.redhat.com/errata/RHSA-2023:1335
Hi, I meant to ask the patch as in a diff of the code. Is it possible to get it ?
(In reply to Shankar narayanan R from comment #33) > Hi, I meant to ask the patch as in a diff of the code. Is it possible to get > it ? https://git.centos.org/rpms/openssl/blob/3852e30e7f26cbb2cf30ce617099b3b2cb341a41/f/SOURCES/openssl-1.0.2k-cve-2023-0286-X400.patch would be el7 https://git.centos.org/rpms/openssl/blob/2502e239760c267784da79808cd792bfe2635626/f/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch would be el8 https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0107-CVE-2023-0286-X400.patch would be el9
Thanks a lot @klaas
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1437 https://access.redhat.com/errata/RHSA-2023:1437
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1439 https://access.redhat.com/errata/RHSA-2023:1439
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2023:1438 https://access.redhat.com/errata/RHSA-2023:1438
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1440 https://access.redhat.com/errata/RHSA-2023:1440
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1441 https://access.redhat.com/errata/RHSA-2023:1441
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0286
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:2022 https://access.redhat.com/errata/RHSA-2023:2022
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932
This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4124 https://access.redhat.com/errata/RHSA-2023:4124
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4252 https://access.redhat.com/errata/RHSA-2023:4252
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:5209 https://access.redhat.com/errata/RHSA-2023:5209