As per upstream advisory: The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1. Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2. When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools.
Acknowledgments: Name: the OpenSSL project Upstream: David Benjamin (Google)
Mitigation: Applications not using the GENERAL_NAME_cmp of openssl are not vulnerable to this flaw. Even when this function is used, if the attacker can control both the arguments of this function, only then the attacker could trigger a crash.
Statement: This is a flaw in the GENERAL_NAME_cmp function of openssl which can be triggered when both its arguments are of the same type i.e. EDIPARTYNAME. 1. Red Hat does not ship any applications compiled with openssl, which used the above function in a vulnerable way. 2. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes, when comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate and when verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example, if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then a crash may be triggered. Third party applications compiled with openssl using the function GENERAL_NAME_cmp in a vulnerable way are affected by this flaw. GENERAL_NAME_cmp was added in 0.9.8k, therefore older versions of openssl are not affected by this flaw.
External References: https://www.openssl.org/news/secadv/20201208.txt
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1905605] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1905603] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1905604]
Upstream patches: https://github.com/openssl/openssl/commit/3db2c9f3e5fb9f649ebb4a55918398756310af43 https://github.com/openssl/openssl/commit/43a7033a010feaf72c79d39df65ca733fb9dcd4c https://github.com/openssl/openssl/commit/b33c48b75aaf33c93aeda42d7138616b9e6a64cb https://github.com/openssl/openssl/commit/22b88fc9c0e22545401c0b34d24843883ea73fec https://github.com/openssl/openssl/commit/97ab3c4b538840037812c8d9164d09a1f4bf11a1
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2020:5422 https://access.redhat.com/errata/RHSA-2020:5422
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1971
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5476 https://access.redhat.com/errata/RHSA-2020:5476
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5566 https://access.redhat.com/errata/RHSA-2020:5566
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5588 https://access.redhat.com/errata/RHSA-2020:5588
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2020:5623 https://access.redhat.com/errata/RHSA-2020:5623
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:5637 https://access.redhat.com/errata/RHSA-2020:5637
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2020:5639 https://access.redhat.com/errata/RHSA-2020:5639
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2020:5640 https://access.redhat.com/errata/RHSA-2020:5640
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2020:5641 https://access.redhat.com/errata/RHSA-2020:5641
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:5642 https://access.redhat.com/errata/RHSA-2020:5642
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Extended Lifecycle Support Via RHSA-2021:0056 https://access.redhat.com/errata/RHSA-2021:0056
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2021:0486 https://access.redhat.com/errata/RHSA-2021:0486
This issue has been addressed in the following products: JBCS 2.4.37 SP6 Via RHSA-2021:0488 https://access.redhat.com/errata/RHSA-2021:0488
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2021:0489 https://access.redhat.com/errata/RHSA-2021:0489
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:0491 https://access.redhat.com/errata/RHSA-2021:0491
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.4 on RHEL 7 Red Hat JBoss Web Server 5.4 on RHEL 8 Via RHSA-2021:0494 https://access.redhat.com/errata/RHSA-2021:0494
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:0495 https://access.redhat.com/errata/RHSA-2021:0495