Bug 1903409 (CVE-2020-1971)
Summary: | CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | cfergeau, cmoore, crypto-team, csutherl, elima, erik-fedora, fidencio, gmccullo, gzaronik, hrupp, jclere, jlyle, jwon, kaycoth, krathod, ktietz, kwalsh, kyoshida, lgao, lilhuang, marcandre.lureau, mbabacek, mfuruta, mturk, mvanderw, myarboro, pjindal, redhat-bugzilla, rhel-crypto-maint, rh-spice-bugs, rjones, sadams, sahana, security-response-team, szappis, tmraz, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://issues.redhat.com/browse/JBCS-1043 https://issues.redhat.com/browse/MIGENG-881 https://issues.redhat.com/browse/POL-404 |
||
Whiteboard: | |||
Fixed In Version: | openssl 1.1.1i | Doc Type: | If docs needed, set a value |
Doc Text: |
A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-15 12:47:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1903416, 1903417, 1903418, 1903419, 1903420, 1903421, 1903432, 1905410, 1905411, 1905412, 1905413, 1905414, 1905603, 1905604, 1905605, 1905838, 1905839, 1905840, 1905841, 1905842, 1905843, 1905844, 1905845, 1905846, 1905847, 1905848 | ||
Bug Blocks: | 1903410, 1954955 |
Description
Huzaifa S. Sidhpurwala
2020-12-02 02:46:15 UTC
Acknowledgments: Name: the OpenSSL project Upstream: David Benjamin (Google) Mitigation: Applications not using the GENERAL_NAME_cmp of openssl are not vulnerable to this flaw. Even when this function is used, if the attacker can control both the arguments of this function, only then the attacker could trigger a crash. Statement: This is a flaw in the GENERAL_NAME_cmp function of openssl which can be triggered when both its arguments are of the same type i.e. EDIPARTYNAME. 1. Red Hat does not ship any applications compiled with openssl, which used the above function in a vulnerable way. 2. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes, when comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate and when verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then a crash may be triggered. Third party applications compiled with openssl using the function GENERAL_NAME_cmp in a vulnerable way are affected by this flaw. GENERAL_NAME_cmp was added in 0.9.8k, therefore older versions of openssl are not affected by this flaw. External References: https://www.openssl.org/news/secadv/20201208.txt Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1905605] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1905603] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1905604] Upstream patches: https://github.com/openssl/openssl/commit/3db2c9f3e5fb9f649ebb4a55918398756310af43 https://github.com/openssl/openssl/commit/43a7033a010feaf72c79d39df65ca733fb9dcd4c https://github.com/openssl/openssl/commit/b33c48b75aaf33c93aeda42d7138616b9e6a64cb https://github.com/openssl/openssl/commit/22b88fc9c0e22545401c0b34d24843883ea73fec https://github.com/openssl/openssl/commit/97ab3c4b538840037812c8d9164d09a1f4bf11a1 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5422 https://access.redhat.com/errata/RHSA-2020:5422 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1971 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5476 https://access.redhat.com/errata/RHSA-2020:5476 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5566 https://access.redhat.com/errata/RHSA-2020:5566 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5588 https://access.redhat.com/errata/RHSA-2020:5588 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:5623 https://access.redhat.com/errata/RHSA-2020:5623 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5637 https://access.redhat.com/errata/RHSA-2020:5637 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:5639 https://access.redhat.com/errata/RHSA-2020:5639 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2020:5640 https://access.redhat.com/errata/RHSA-2020:5640 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:5641 https://access.redhat.com/errata/RHSA-2020:5641 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:5642 https://access.redhat.com/errata/RHSA-2020:5642 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:0056 https://access.redhat.com/errata/RHSA-2021:0056 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2021:0486 https://access.redhat.com/errata/RHSA-2021:0486 This issue has been addressed in the following products: JBCS 2.4.37 SP6 Via RHSA-2021:0488 https://access.redhat.com/errata/RHSA-2021:0488 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2021:0489 https://access.redhat.com/errata/RHSA-2021:0489 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:0491 https://access.redhat.com/errata/RHSA-2021:0491 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.4 on RHEL 7 Red Hat JBoss Web Server 5.4 on RHEL 8 Via RHSA-2021:0494 https://access.redhat.com/errata/RHSA-2021:0494 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:0495 https://access.redhat.com/errata/RHSA-2021:0495 |