Bug 2164440 (CVE-2023-0286)
| Summary: | CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acrosby, adudiak, aprice, arachman, bdettelb, berrange, bootloader-eng-team, caswilli, chmays, cllang, crizzo, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, doconnor, drieden, drow, fjansen, fperalta, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jforrest, jkoehler, jmaloy, jmitchel, jsamir, jtanner, jvasik, jwon, kaycoth, kesha.plovec02, kholdawa, klaas, kraxel, kshier, kyoshida, lcouzens, lphiri, lveyde, michal.skrivanek, micjohns, mmadzin, mperina, mpierce, mralph, mskarbek, mturk, ngough, nweather, oezr, omaciel, pbonzini, peholase, pjindal, plodge, rblanco, rgodfrey, rh-spice-bugs, rogbas, rravi, sbonazzo, scarney, security-response-team, smahanga, snarayanan, stcannon, sthirugn, szappis, teagle, tfister, tohughes, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely only to affect applications that have implemented their own functionality for retrieving CRLs over a network.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-23 15:46:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2164526, 2164527, 2164528, 2164530, 2164531, 2164532, 2164533, 2164534, 2164535, 2164536, 2164537, 2164538, 2164539, 2166343, 2167865, 2167866, 2167867, 2167868, 2167869, 2167870, 2167871, 2167872, 2167873, 2167874, 2167875, 2167876, 2167877, 2167878, 2167879, 2167880, 2176790, 2178650, 2178651, 2178652, 2178653, 2178654, 2178655, 2178656, 2178657, 2178658, 2178659, 2178660, 2178661, 2178662, 2178663, 2178664, 2178665, 2178666, 2178667, 2178668, 2178669, 2178670, 2178671, 2178672, 2178673, 2178674, 2178675, 2178676, 2178687, 2183954 | ||
| Bug Blocks: | 2164384 | ||
|
Description
Sandipan Roy
2023-01-25 14:49:57 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167867] Affects: fedora-37 [bug 2167874] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167868] Affects: fedora-37 [bug 2167875] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167869] Affects: fedora-37 [bug 2167876] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167870] Affects: fedora-37 [bug 2167877] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167865] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167866] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2167871] Affects: fedora-37 [bug 2167878] Created shim-unsigned-aarch64 tracking bugs for this issue: Affects: fedora-36 [bug 2167872] Affects: fedora-37 [bug 2167879] Created shim-unsigned-x64 tracking bugs for this issue: Affects: fedora-36 [bug 2167873] Affects: fedora-37 [bug 2167880] Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you have concluded this from Security Advisory, but source code of openssl shows that vulnerable piece of code seems to be present. Have you verified the source code or concluded vulnerability status from security advisory? If you have verified the source code, could you please explain what exactly makes you think that openssl is not vulnerable? Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you have concluded this from Security Advisory, but source code of openssl shows that vulnerable piece of code seems to be present. Have you verified the source code or concluded vulnerability status from security advisory? If you have verified the source code, could you please explain what exactly makes you think that openssl is not vulnerable? (In reply to Nikita Ivanov from comment #9) > Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you > have concluded this from Security Advisory, but source code of openssl shows > that vulnerable piece of code seems to be present. Have you verified the > source code or concluded vulnerability status from security advisory? If you > have verified the source code, could you please explain what exactly makes > you think that openssl is not vulnerable? Hello Nikita, We are not fixing that on RHEL-6, because as per internal policies, RHEL-6 is out of support scope. And yes, It's vulnerable to this security flaw. Thanks This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946 Any plans to address it in RHEL8? (In reply to Sandra Carney from comment #22) > Any plans to address it in RHEL8? RHSA-2023:109716 is already in Progress for RHEL-8. Thanks. I checked the Errata don't see it. Is that because it hasn't been published, yet. Are you targeting RHEL8 with the fix? Sorry, I meant RHEL 8.8 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:1335 https://access.redhat.com/errata/RHSA-2023:1335 Hi, I meant to ask the patch as in a diff of the code. Is it possible to get it ? (In reply to Shankar narayanan R from comment #33) > Hi, I meant to ask the patch as in a diff of the code. Is it possible to get > it ? https://git.centos.org/rpms/openssl/blob/3852e30e7f26cbb2cf30ce617099b3b2cb341a41/f/SOURCES/openssl-1.0.2k-cve-2023-0286-X400.patch would be el7 https://git.centos.org/rpms/openssl/blob/2502e239760c267784da79808cd792bfe2635626/f/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch would be el8 https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0107-CVE-2023-0286-X400.patch would be el9 Thanks a lot @klaas This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:1437 https://access.redhat.com/errata/RHSA-2023:1437 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:1439 https://access.redhat.com/errata/RHSA-2023:1439 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2023:1438 https://access.redhat.com/errata/RHSA-2023:1438 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1440 https://access.redhat.com/errata/RHSA-2023:1440 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1441 https://access.redhat.com/errata/RHSA-2023:1441 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0286 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:2022 https://access.redhat.com/errata/RHSA-2023:2022 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932 This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4124 https://access.redhat.com/errata/RHSA-2023:4124 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4252 https://access.redhat.com/errata/RHSA-2023:4252 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2023:5209 https://access.redhat.com/errata/RHSA-2023:5209 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Via RHSA-2024:5136 https://access.redhat.com/errata/RHSA-2024:5136 Is the file compat-openssl11 going to be fixed as a part of this bugzilla? It is listed as affected by this CVE. (In reply to Chris Mays from comment #62) > Is the file compat-openssl11 going to be fixed as a part of this bugzilla? > It is listed as affected by this CVE. There are no plans to address this in compat-openssl11. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:7733 https://access.redhat.com/errata/RHSA-2025:7733 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:7895 https://access.redhat.com/errata/RHSA-2025:7895 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:7937 https://access.redhat.com/errata/RHSA-2025:7937 |