Bug 2182561 (CVE-2023-0465)
Summary: | CVE-2023-0465 openssl: Invalid certificate policies in leaf certificates are silently ignored | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | acrosby, adudiak, aoconnor, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jferlan, jmitchel, jtanner, kaycoth, kraxel, kshier, micjohns, mmadzin, mturk, ngalvin, ngough, nweather, pbonzini, peholase, pjindal, plodge, psegedy, rgodfrey, rh-spice-bugs, rogbas, rravi, stcannon, sthirugn, szappis, tfister, tohughes, tsasak, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in OpenSSL. Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. OpenSSL and other certificate policy checks silently ignore invalid certificate policies in leaf certificates that are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-06-22 03:26:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2182567, 2182568, 2182569, 2182570, 2182571, 2182572, 2182573, 2182574, 2182575, 2182589, 2182590, 2182591, 2182592, 2182593, 2182594, 2182595, 2182596, 2182597, 2182598, 2182599, 2182600, 2187429 | ||
Bug Blocks: | 2182416 |
Description
Sandipan Roy
2023-03-29 03:17:16 UTC
Created edk2 tracking bugs for this issue: Affects: fedora-36 [bug 2182591] Affects: fedora-37 [bug 2182596] Created mingw-openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182592] Affects: fedora-37 [bug 2182597] Created openssl tracking bugs for this issue: Affects: fedora-36 [bug 2182593] Affects: fedora-37 [bug 2182598] Created openssl1.1 tracking bugs for this issue: Affects: fedora-36 [bug 2182594] Affects: fedora-37 [bug 2182599] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2182589] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2182590] Created shim tracking bugs for this issue: Affects: fedora-36 [bug 2182595] Affects: fedora-37 [bug 2182600] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0465 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626 |