Bug 2181082 (CVE-2023-0464)

Summary: CVE-2023-0464 openssl: Denial of service by excessive resource usage in verifying X509 policy constraints
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aoconnor, aprice, asegurap, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, doconnor, drow, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jdobes, jferlan, jforrest, jkoehler, jmitchel, jsamir, jtanner, kaycoth, kholdawa, kraxel, kshier, kyoshida, lcouzens, lphiri, luizcosta, masanari.iida, mdogra, micjohns, mmadzin, mpierce, mskarbek, mturk, ngough, nweather, omaciel, orabin, pbonzini, peholase, pjindal, plodge, psegedy, rblanco, rgodfrey, rh-spice-bugs, rogbas, rravi, security-response-team, stcannon, sthirugn, szappis, teagle, tfister, tohughes, tsasak, virt-maint, vkrizan, vkumar, vmugicag, vsroka, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 3.1.1, openssl 3.0.9, openssl 1.1.1u Doc Type: If docs needed, set a value
Doc Text:
A security vulnerability has been identified in all supported OpenSSL versions related to verifying X.509 certificate chains that include policy constraints. This flaw allows attackers to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial of service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or calling the X509_VERIFY_PARAM_set1_policies()' function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-22 02:43:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181084, 2181085, 2181086, 2181087, 2181088, 2181089, 2181090, 2181093, 2181094, 2181095, 2181096, 2181097, 2181098, 2181099, 2181100, 2181101, 2181102, 2181103, 2181104, 2181105, 2186661, 2186662    
Bug Blocks: 2180963    

Description Sandipan Roy 2023-03-23 05:12:34 UTC 
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
Comment 1 Sandipan Roy 2023-03-23 05:28:35 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-all [bug 2181084]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 2181085]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 2181086]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-all [bug 2181087]


Created shim tracking bugs for this issue:

Affects: fedora-all [bug 2181088]


Created shim-unsigned-aarch64 tracking bugs for this issue:

Affects: fedora-all [bug 2181089]


Created shim-unsigned-x64 tracking bugs for this issue:

Affects: fedora-all [bug 2181090]
Comment 11 errata-xmlrpc 2023-06-21 14:38:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
Comment 12 Product Security DevOps Team 2023-06-22 02:43:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0464
Comment 14 errata-xmlrpc 2023-12-07 12:17:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 15 errata-xmlrpc 2023-12-07 12:37:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 16 errata-xmlrpc 2023-12-07 13:49:07 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
Comment 17 errata-xmlrpc 2023-12-07 13:55:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626