Bug 2182565 (CVE-2023-0466)

Summary: CVE-2023-0466 openssl: Certificate policy check not enabled
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acrosby, adudiak, agarcial, aoconnor, aprice, asegurap, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, doconnor, drow, fjansen, gzaronik, hbraun, hkataria, ikanias, jary, jburrell, jclere, jdobes, jferlan, jmitchel, jsamir, jtanner, kaycoth, kholdawa, kraxel, kshier, lcouzens, luizcosta, micjohns, mmadzin, mpierce, mskarbek, mturk, ngalvin, ngough, nweather, omaciel, orabin, pbonzini, peholase, pjindal, plodge, psegedy, rblanco, rgodfrey, rh-spice-bugs, rogbas, rravi, stcannon, sthirugn, szappis, teagle, tfister, tohughes, tsasak, virt-maint, vkrizan, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. The X509_VERIFY_PARAM_add0_policy() function is documented to enable the certificate policy check when doing certificate verification implicitly. However, implementing the function does not enable the check, allowing certificates with invalid or incorrect policies to pass the certificate verification. Suddenly enabling the policy check could break existing deployments, so it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. The applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-22 03:27:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182576, 2182577, 2182578, 2182579, 2182580, 2182581, 2182582, 2182583, 2182584, 2182601, 2182602, 2182603, 2182604, 2182605, 2182606, 2182607, 2182608, 2182609, 2182610, 2182611, 2182612, 2187431    
Bug Blocks: 2182416    

Description Sandipan Roy 2023-03-29 03:19:26 UTC 
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
https://www.openssl.org/news/secadv/20230328.txt
Comment 2 TEJ RATHI 2023-03-29 04:12:48 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2182603]
Affects: fedora-37 [bug 2182608]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182604]
Affects: fedora-37 [bug 2182609]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182605]
Affects: fedora-37 [bug 2182610]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2182606]
Affects: fedora-37 [bug 2182611]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2182601]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2182602]


Created shim tracking bugs for this issue:

Affects: fedora-36 [bug 2182607]
Affects: fedora-37 [bug 2182612]
Comment 5 errata-xmlrpc 2023-06-21 14:38:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
Comment 6 Product Security DevOps Team 2023-06-22 03:27:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0466
Comment 7 errata-xmlrpc 2023-12-07 12:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 8 errata-xmlrpc 2023-12-07 12:37:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 9 errata-xmlrpc 2023-12-07 13:49:08 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
Comment 10 errata-xmlrpc 2023-12-07 13:55:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626