Bug 2164492 (CVE-2023-0215)
| Summary: | CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acrosby, adudiak, bdettelb, berrange, bootloader-eng-team, caswilli, christopher.voltz, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, drieden, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jkoehler, jmitchel, jtanner, jwon, kaycoth, kraxel, kshier, kyoshida, micjohns, mmadzin, mturk, ngough, nweather, pbonzini, peholase, pjindal, plodge, rgodfrey, rh-spice-bugs, rogbas, rravi, security-response-team, smahanga, stcannon, sthirugn, szappis, tfister, tohughes, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be called directly by end-user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions. For example, if a CMS recipient public key is invalid, the new filter BIO is freed, and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up, and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then calls BIO_pop() on the BIO, a use-after-free will occur, possibly resulting in a crash.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-22 14:04:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2164557, 2164562, 2164563, 2167896, 2167899, 2191731, 2164556, 2164558, 2164559, 2164561, 2164564, 2164565, 2164566, 2164567, 2164568, 2164569, 2166347, 2167887, 2167888, 2167889, 2167890, 2167891, 2167892, 2167893, 2167894, 2167895, 2167897, 2167898, 2167900, 2167901, 2167902, 2191730, 2191732, 2208592, 2208593 | ||
| Bug Blocks: | 2164384 | ||
|
Description
Marian Rehak
2023-01-25 15:33:37 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2167889] Affects: fedora-37 [bug 2167897] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167890] Affects: fedora-37 [bug 2167896] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2167891] Affects: fedora-37 [bug 2167898] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2167892] Affects: fedora-37 [bug 2167899] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2167888] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2167887] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2167893] Affects: fedora-37 [bug 2167900] Created shim-unsigned-aarch64 tracking bugs for this issue: Affects: fedora-36 [bug 2167894] Affects: fedora-37 [bug 2167901] Created shim-unsigned-x64 tracking bugs for this issue: Affects: fedora-36 [bug 2167895] Affects: fedora-37 [bug 2167902] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946 Do we have a schedule for when this will be fixed in RHEL 8? This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0215 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408 This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128 |