Bug 2182561 (CVE-2023-0465)

Summary: CVE-2023-0465 openssl: Invalid certificate policies in leaf certificates are silently ignored
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acrosby, adudiak, aoconnor, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jmitchel, jtanner, kaycoth, kraxel, kshier, micjohns, mmadzin, mturk, ngalvin, ngough, nweather, pbonzini, peholase, pjindal, plodge, psegedy, rgodfrey, rh-spice-bugs, rogbas, rravi, stcannon, sthirugn, szappis, tfister, tohughes, tsasak, virt-maint, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. OpenSSL and other certificate policy checks silently ignore invalid certificate policies in leaf certificates that are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-22 03:26:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182567, 2182568, 2182569, 2182570, 2182571, 2182572, 2182573, 2182574, 2182575, 2182589, 2182590, 2182591, 2182592, 2182593, 2182594, 2182595, 2182596, 2182597, 2182598, 2182599, 2182600, 2187429    
Bug Blocks: 2182416    

Description Sandipan Roy 2023-03-29 03:17:16 UTC 
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a
https://www.openssl.org/news/secadv/20230328.txt
Comment 2 TEJ RATHI 2023-03-29 04:09:21 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2182591]
Affects: fedora-37 [bug 2182596]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182592]
Affects: fedora-37 [bug 2182597]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182593]
Affects: fedora-37 [bug 2182598]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2182594]
Affects: fedora-37 [bug 2182599]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2182589]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2182590]


Created shim tracking bugs for this issue:

Affects: fedora-36 [bug 2182595]
Affects: fedora-37 [bug 2182600]
Comment 5 errata-xmlrpc 2023-06-21 14:38:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
Comment 6 Product Security DevOps Team 2023-06-22 03:26:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0465
Comment 7 errata-xmlrpc 2023-12-07 12:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 8 errata-xmlrpc 2023-12-07 12:37:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 9 errata-xmlrpc 2023-12-07 13:49:07 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
Comment 10 errata-xmlrpc 2023-12-07 13:55:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626