Bug 2243839 (CVE-2023-5363)
Summary: | CVE-2023-5363 openssl: Incorrect cipher key and IV length processing | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, agarcial, aoconnor, asegurap, bdettelb, caswilli, csutherl, dfreiber, dhalasz, dkuc, fjansen, hkataria, jburrell, jclere, jmitchel, jsamir, jtanner, kaycoth, kshier, luizcosta, mmadzin, mturk, nweather, orabin, peholase, pjindal, plodge, psegedy, rogbas, rtillery, security-response-team, stcannon, sthirugn, szappis, tfister, vkrizan, vkumar, vmugicag, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | OpenSSL 3.0.12, OpenSSL 3.1.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in OpenSSL in how it processes key and initialization vector (IV) lengths. This issue can lead to potential truncation or overruns during the initialization of some symmetric ciphers. A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2249063, 2249064, 2249065 | ||
Bug Blocks: | 2243841 |
Description
Sandipan Roy
2023-10-13 12:44:00 UTC
Public now via upstream advisory: https://www.openssl.org/news/secadv/20231024.txt Created openssl tracking bugs for this issue: Affects: fedora-37 [bug 2249064] Affects: fedora-38 [bug 2249065] Created openssl3 tracking bugs for this issue: Affects: epel-8 [bug 2249063] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0310 https://access.redhat.com/errata/RHSA-2024:0310 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0500 https://access.redhat.com/errata/RHSA-2024:0500 |