Bug 2207947 (CVE-2023-2650)
| Summary: | CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acrosby, adudiak, aoconnor, bdettelb, berrange, bootloader-eng-team, caswilli, cllang, csutherl, dbelyavs, ddepaula, dffrench, dfreiber, dhalasz, dkuc, drieden, fjansen, gzaronik, hkataria, ikanias, jary, jburrell, jclere, jferlan, jmitchel, jtanner, kaycoth, kraxel, kshier, micjohns, mmadzin, mturk, ngough, nweather, pbonzini, peholase, pjindal, plodge, psegedy, rgodfrey, rh-spice-bugs, rogbas, rravi, security-response-team, stcannon, sthirugn, szappis, tfister, tohughes, tsasak, virt-maint, vkrizan, vkumar, vmugicag, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in OpenSSL resulting in a possible denial of service while translating ASN.1 object identifiers. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience long delays when processing messages, which may lead to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-22 03:29:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2207952, 2207953, 2207954, 2207955, 2207956, 2207957, 2207958, 2207959, 2207960, 2207961, 2207962, 2207963, 2207964, 2211107, 2211109, 2211112, 2211116, 2211119, 2211122, 2233517 | ||
| Bug Blocks: | 2207929 | ||
|
Description
Sandipan Roy
2023-05-17 12:47:05 UTC
Created openssl tracking bugs for this issue: Affects: fedora-37 [bug 2211112] Affects: fedora-38 [bug 2211119] Created openssl1.1 tracking bugs for this issue: Affects: fedora-37 [bug 2211116] Affects: fedora-38 [bug 2211122] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 2211107] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2211109] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-2650 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6330 https://access.redhat.com/errata/RHSA-2023:6330 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626 |