Bug 2164492 (CVE-2023-0215) - CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF
Summary: CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-0215
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2164556 2164557 2164558 2164559 2164561 2164562 2164563 2164564 2164565 2164566 2164567 2164568 2164569 2166347 2167887 2167888 2167889 2167890 2167891 2167892 2167893 2167894 2167895 2167896 2167897 2167898 2167899 2167900 2167901 2167902 2191730 2191731 2191732 2208592 2208593
Blocks: 2164384
TreeView+ depends on / blocked
 
Reported: 2023-01-25 15:33 UTC by Marian Rehak
Modified: 2024-02-05 22:55 UTC (History)
58 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be called directly by end-user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions. For example, if a CMS recipient public key is invalid, the new filter BIO is freed, and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up, and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then calls BIO_pop() on the BIO, a use-after-free will occur, possibly resulting in a crash.
Clone Of:
Environment:
Last Closed: 2023-03-22 14:04:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1413 0 None None None 2023-03-22 19:48:37 UTC
Red Hat Product Errata RHBA-2023:1414 0 None None None 2023-03-22 19:48:45 UTC
Red Hat Product Errata RHBA-2023:1415 0 None None None 2023-03-22 19:54:57 UTC
Red Hat Product Errata RHBA-2023:1416 0 None None None 2023-03-22 20:48:30 UTC
Red Hat Product Errata RHBA-2023:1417 0 None None None 2023-03-22 20:44:56 UTC
Red Hat Product Errata RHBA-2023:1418 0 None None None 2023-03-22 20:56:35 UTC
Red Hat Product Errata RHBA-2023:1419 0 None None None 2023-03-22 21:00:55 UTC
Red Hat Product Errata RHBA-2023:1420 0 None None None 2023-03-22 21:25:32 UTC
Red Hat Product Errata RHBA-2023:1421 0 None None None 2023-03-22 21:26:43 UTC
Red Hat Product Errata RHBA-2023:1422 0 None None None 2023-03-22 21:34:45 UTC
Red Hat Product Errata RHBA-2023:1423 0 None None None 2023-03-22 21:37:31 UTC
Red Hat Product Errata RHBA-2023:1424 0 None None None 2023-03-22 21:42:57 UTC
Red Hat Product Errata RHBA-2023:1425 0 None None None 2023-03-22 21:38:47 UTC
Red Hat Product Errata RHBA-2023:1426 0 None None None 2023-03-22 21:47:27 UTC
Red Hat Product Errata RHBA-2023:1431 0 None None None 2023-03-23 08:53:27 UTC
Red Hat Product Errata RHBA-2023:1446 0 None None None 2023-03-23 13:05:05 UTC
Red Hat Product Errata RHBA-2023:1449 0 None None None 2023-03-23 17:48:00 UTC
Red Hat Product Errata RHBA-2023:1459 0 None None None 2023-03-27 01:23:05 UTC
Red Hat Product Errata RHBA-2023:1460 0 None None None 2023-03-27 06:58:59 UTC
Red Hat Product Errata RHBA-2023:1461 0 None None None 2023-03-27 08:50:22 UTC
Red Hat Product Errata RHBA-2023:1463 0 None None None 2023-03-27 07:48:51 UTC
Red Hat Product Errata RHBA-2023:1464 0 None None None 2023-03-27 10:35:11 UTC
Red Hat Product Errata RHBA-2023:1465 0 None None None 2023-03-27 08:02:49 UTC
Red Hat Product Errata RHBA-2023:1475 0 None None None 2023-03-27 10:36:06 UTC
Red Hat Product Errata RHBA-2023:1476 0 None None None 2023-03-27 11:23:54 UTC
Red Hat Product Errata RHBA-2023:1477 0 None None None 2023-03-27 10:54:13 UTC
Red Hat Product Errata RHBA-2023:1493 0 None None None 2023-03-28 11:36:18 UTC
Red Hat Product Errata RHBA-2023:1497 0 None None None 2023-03-28 14:02:02 UTC
Red Hat Product Errata RHBA-2023:1499 0 None None None 2023-03-28 17:57:57 UTC
Red Hat Product Errata RHBA-2023:1500 0 None None None 2023-03-28 19:04:49 UTC
Red Hat Product Errata RHBA-2023:1502 0 None None None 2023-03-28 21:16:06 UTC
Red Hat Product Errata RHBA-2023:1517 0 None None None 2023-03-29 12:59:21 UTC
Red Hat Product Errata RHBA-2023:1519 0 None None None 2023-03-29 12:49:55 UTC
Red Hat Product Errata RHBA-2023:1520 0 None None None 2023-03-29 12:45:50 UTC
Red Hat Product Errata RHBA-2023:1530 0 None None None 2023-03-30 09:59:22 UTC
Red Hat Product Errata RHBA-2023:1532 0 None None None 2023-03-30 12:21:28 UTC
Red Hat Product Errata RHBA-2023:1536 0 None None None 2023-03-30 15:39:58 UTC
Red Hat Product Errata RHBA-2023:1539 0 None None None 2023-03-30 19:40:01 UTC
Red Hat Product Errata RHBA-2023:1625 0 None None None 2023-04-04 14:23:35 UTC
Red Hat Product Errata RHBA-2023:1626 0 None None None 2023-04-04 15:41:50 UTC
Red Hat Product Errata RHBA-2023:1627 0 None None None 2023-04-04 16:48:18 UTC
Red Hat Product Errata RHBA-2023:1628 0 None None None 2023-04-04 16:42:16 UTC
Red Hat Product Errata RHBA-2023:1641 0 None None None 2023-04-05 02:58:36 UTC
Red Hat Product Errata RHBA-2023:1654 0 None None None 2023-04-05 12:31:04 UTC
Red Hat Product Errata RHBA-2023:1708 0 None None None 2023-04-11 14:49:51 UTC
Red Hat Product Errata RHBA-2023:1736 0 None None None 2023-04-11 21:35:15 UTC
Red Hat Product Errata RHBA-2023:1764 0 None None None 2023-04-12 21:25:15 UTC
Red Hat Product Errata RHBA-2023:1798 0 None None None 2023-04-17 01:50:48 UTC
Red Hat Product Errata RHBA-2023:1800 0 None None None 2023-04-17 13:18:34 UTC
Red Hat Product Errata RHBA-2023:1825 0 None None None 2023-04-18 16:52:52 UTC
Red Hat Product Errata RHBA-2023:1850 0 None None None 2023-04-18 21:30:21 UTC
Red Hat Product Errata RHBA-2023:1886 0 None None None 2023-04-19 19:40:46 UTC
Red Hat Product Errata RHBA-2023:1929 0 None None None 2023-04-24 01:45:04 UTC
Red Hat Product Errata RHBA-2023:2033 0 None None None 2023-04-26 18:29:09 UTC
Red Hat Product Errata RHBA-2023:2048 0 None None None 2023-04-27 13:25:50 UTC
Red Hat Product Errata RHBA-2023:2086 0 None None None 2023-05-02 18:14:58 UTC
Red Hat Product Errata RHBA-2023:2088 0 None None None 2023-05-03 02:30:45 UTC
Red Hat Product Errata RHBA-2023:2105 0 None None None 2023-05-03 22:06:02 UTC
Red Hat Product Errata RHBA-2023:2106 0 None None None 2023-05-03 22:25:46 UTC
Red Hat Product Errata RHSA-2023:0946 0 None None None 2023-02-28 08:18:13 UTC
Red Hat Product Errata RHSA-2023:1199 0 None None None 2023-03-14 13:52:58 UTC
Red Hat Product Errata RHSA-2023:1405 0 None None None 2023-03-22 10:33:39 UTC
Red Hat Product Errata RHSA-2023:2165 0 None None None 2023-05-09 07:13:21 UTC
Red Hat Product Errata RHSA-2023:2932 0 None None None 2023-05-16 08:29:58 UTC
Red Hat Product Errata RHSA-2023:3354 0 None None None 2023-06-05 11:51:01 UTC
Red Hat Product Errata RHSA-2023:3355 0 None None None 2023-06-05 11:47:11 UTC
Red Hat Product Errata RHSA-2023:3408 0 None None None 2023-05-31 18:36:54 UTC
Red Hat Product Errata RHSA-2023:3420 0 None None None 2023-06-05 13:56:08 UTC
Red Hat Product Errata RHSA-2023:3421 0 None None None 2023-06-05 14:16:39 UTC
Red Hat Product Errata RHSA-2023:4128 0 None None None 2023-07-18 08:19:40 UTC

Description Marian Rehak 2023-01-25 15:33:37 UTC
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

Comment 4 Zack Miele 2023-02-07 17:56:03 UTC
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2167889]
Affects: fedora-37 [bug 2167897]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2167890]
Affects: fedora-37 [bug 2167896]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2167891]
Affects: fedora-37 [bug 2167898]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2167892]
Affects: fedora-37 [bug 2167899]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2167888]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2167887]


Created shim tracking bugs for this issue:

Affects: fedora-36 [bug 2167893]
Affects: fedora-37 [bug 2167900]


Created shim-unsigned-aarch64 tracking bugs for this issue:

Affects: fedora-36 [bug 2167894]
Affects: fedora-37 [bug 2167901]


Created shim-unsigned-x64 tracking bugs for this issue:

Affects: fedora-36 [bug 2167895]
Affects: fedora-37 [bug 2167902]

Comment 7 errata-xmlrpc 2023-02-28 08:18:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946

Comment 8 Christopher Voltz 2023-03-10 16:14:17 UTC
Do we have a schedule for when this will be fixed in RHEL 8?

Comment 9 errata-xmlrpc 2023-03-14 13:52:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199

Comment 10 errata-xmlrpc 2023-03-22 10:33:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405

Comment 11 Product Security DevOps Team 2023-03-22 14:04:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0215

Comment 12 errata-xmlrpc 2023-05-09 07:13:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165

Comment 13 errata-xmlrpc 2023-05-16 08:29:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932

Comment 14 errata-xmlrpc 2023-05-31 18:36:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3408 https://access.redhat.com/errata/RHSA-2023:3408

Comment 15 errata-xmlrpc 2023-06-05 11:47:07 UTC
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355

Comment 16 errata-xmlrpc 2023-06-05 11:50:57 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354

Comment 17 errata-xmlrpc 2023-06-05 13:56:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420

Comment 18 errata-xmlrpc 2023-06-05 14:16:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421

Comment 19 errata-xmlrpc 2023-07-18 08:19:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128

Comment 20 wunschtaria 2024-01-31 07:21:29 UTC Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.