Bug 2164440 (CVE-2023-0286) - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
Summary: CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-0286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2164526 2164527 2164528 2164530 2164531 2164532 2164533 2164534 2164535 2164536 2164537 2164538 2164539 2166343 2167865 2167866 2167867 2167868 2167869 2167870 2167871 2167872 2167873 2167874 2167875 2167876 2167877 2167878 2167879 2167880 2176790 2178650 2178651 2178652 2178653 2178654 2178655 2178656 2178657 2178658 2178659 2178660 2178661 2178662 2178663 2178664 2178665 2178666 2178667 2178668 2178669 2178670 2178671 2178672 2178673 2178674 2178675 2178676 2178687 2183954
Blocks: 2164384
TreeView+ depends on / blocked
 
Reported: 2023-01-25 14:49 UTC by Sandipan Roy
Modified: 2024-06-19 23:04 UTC (History)
69 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely only to affect applications that have implemented their own functionality for retrieving CRLs over a network.
Clone Of:
Environment:
Last Closed: 2023-03-23 15:46:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1350 0 None None None 2023-03-20 14:44:50 UTC
Red Hat Product Errata RHBA-2023:1352 0 None None None 2023-03-20 14:45:02 UTC
Red Hat Product Errata RHBA-2023:1357 0 None None None 2023-03-20 17:36:43 UTC
Red Hat Product Errata RHBA-2023:1379 0 None None None 2023-03-21 14:43:43 UTC
Red Hat Product Errata RHBA-2023:1382 0 None None None 2023-03-21 16:51:33 UTC
Red Hat Product Errata RHBA-2023:1383 0 None None None 2023-03-21 16:51:26 UTC
Red Hat Product Errata RHBA-2023:1384 0 None None None 2023-03-21 16:51:58 UTC
Red Hat Product Errata RHBA-2023:1385 0 None None None 2023-03-21 18:40:50 UTC
Red Hat Product Errata RHBA-2023:1386 0 None None None 2023-03-21 16:52:09 UTC
Red Hat Product Errata RHBA-2023:1387 0 None None None 2023-03-21 16:51:46 UTC
Red Hat Product Errata RHBA-2023:1388 0 None None None 2023-03-21 17:41:05 UTC
Red Hat Product Errata RHBA-2023:1413 0 None None None 2023-03-22 19:48:33 UTC
Red Hat Product Errata RHBA-2023:1414 0 None None None 2023-03-22 19:48:39 UTC
Red Hat Product Errata RHBA-2023:1415 0 None None None 2023-03-22 19:54:54 UTC
Red Hat Product Errata RHBA-2023:1416 0 None None None 2023-03-22 20:48:27 UTC
Red Hat Product Errata RHBA-2023:1417 0 None None None 2023-03-22 20:44:54 UTC
Red Hat Product Errata RHBA-2023:1418 0 None None None 2023-03-22 20:56:33 UTC
Red Hat Product Errata RHBA-2023:1419 0 None None None 2023-03-22 21:00:52 UTC
Red Hat Product Errata RHBA-2023:1420 0 None None None 2023-03-22 21:25:30 UTC
Red Hat Product Errata RHBA-2023:1421 0 None None None 2023-03-22 21:26:39 UTC
Red Hat Product Errata RHBA-2023:1422 0 None None None 2023-03-22 21:34:44 UTC
Red Hat Product Errata RHBA-2023:1423 0 None None None 2023-03-22 21:37:31 UTC
Red Hat Product Errata RHBA-2023:1424 0 None None None 2023-03-22 21:42:53 UTC
Red Hat Product Errata RHBA-2023:1425 0 None None None 2023-03-22 21:38:46 UTC
Red Hat Product Errata RHBA-2023:1426 0 None None None 2023-03-22 21:47:22 UTC
Red Hat Product Errata RHBA-2023:1429 0 None None None 2023-03-23 07:49:31 UTC
Red Hat Product Errata RHBA-2023:1430 0 None None None 2023-03-23 09:21:21 UTC
Red Hat Product Errata RHBA-2023:1431 0 None None None 2023-03-23 08:53:26 UTC
Red Hat Product Errata RHBA-2023:1446 0 None None None 2023-03-23 13:05:01 UTC
Red Hat Product Errata RHBA-2023:1449 0 None None None 2023-03-23 17:47:57 UTC
Red Hat Product Errata RHBA-2023:1456 0 None None None 2023-03-23 20:36:41 UTC
Red Hat Product Errata RHBA-2023:1457 0 None None None 2023-03-23 20:38:10 UTC
Red Hat Product Errata RHBA-2023:1459 0 None None None 2023-03-27 01:23:03 UTC
Red Hat Product Errata RHBA-2023:1460 0 None None None 2023-03-27 06:58:58 UTC
Red Hat Product Errata RHBA-2023:1461 0 None None None 2023-03-27 08:50:17 UTC
Red Hat Product Errata RHBA-2023:1463 0 None None None 2023-03-27 07:48:49 UTC
Red Hat Product Errata RHBA-2023:1464 0 None None None 2023-03-27 10:35:07 UTC
Red Hat Product Errata RHBA-2023:1465 0 None None None 2023-03-27 08:02:45 UTC
Red Hat Product Errata RHBA-2023:1473 0 None None None 2023-03-27 09:36:09 UTC
Red Hat Product Errata RHBA-2023:1474 0 None None None 2023-03-27 15:05:40 UTC
Red Hat Product Errata RHBA-2023:1475 0 None None None 2023-03-27 10:36:01 UTC
Red Hat Product Errata RHBA-2023:1476 0 None None None 2023-03-27 11:23:52 UTC
Red Hat Product Errata RHBA-2023:1477 0 None None None 2023-03-27 10:54:11 UTC
Red Hat Product Errata RHBA-2023:1483 0 None None None 2023-03-27 19:58:31 UTC
Red Hat Product Errata RHBA-2023:1484 0 None None None 2023-03-27 19:58:24 UTC
Red Hat Product Errata RHBA-2023:1485 0 None None None 2023-03-28 04:55:53 UTC
Red Hat Product Errata RHBA-2023:1489 0 None None None 2023-03-28 08:11:53 UTC
Red Hat Product Errata RHBA-2023:1493 0 None None None 2023-03-28 11:36:17 UTC
Red Hat Product Errata RHBA-2023:1495 0 None None None 2023-03-28 12:22:26 UTC
Red Hat Product Errata RHBA-2023:1497 0 None None None 2023-03-28 14:02:00 UTC
Red Hat Product Errata RHBA-2023:1499 0 None None None 2023-03-28 17:57:53 UTC
Red Hat Product Errata RHBA-2023:1500 0 None None None 2023-03-28 19:04:48 UTC
Red Hat Product Errata RHBA-2023:1502 0 None None None 2023-03-28 21:16:04 UTC
Red Hat Product Errata RHBA-2023:1517 0 None None None 2023-03-29 12:59:19 UTC
Red Hat Product Errata RHBA-2023:1519 0 None None None 2023-03-29 12:49:54 UTC
Red Hat Product Errata RHBA-2023:1520 0 None None None 2023-03-29 12:45:55 UTC
Red Hat Product Errata RHBA-2023:1530 0 None None None 2023-03-30 09:59:18 UTC
Red Hat Product Errata RHBA-2023:1532 0 None None None 2023-03-30 12:21:16 UTC
Red Hat Product Errata RHBA-2023:1536 0 None None None 2023-03-30 15:39:55 UTC
Red Hat Product Errata RHBA-2023:1539 0 None None None 2023-03-30 19:40:00 UTC
Red Hat Product Errata RHBA-2023:1541 0 None None None 2023-04-03 06:50:51 UTC
Red Hat Product Errata RHBA-2023:1542 0 None None None 2023-04-03 06:53:02 UTC
Red Hat Product Errata RHBA-2023:1625 0 None None None 2023-04-04 14:23:31 UTC
Red Hat Product Errata RHBA-2023:1626 0 None None None 2023-04-04 15:41:48 UTC
Red Hat Product Errata RHBA-2023:1627 0 None None None 2023-04-04 16:48:15 UTC
Red Hat Product Errata RHBA-2023:1628 0 None None None 2023-04-04 16:42:11 UTC
Red Hat Product Errata RHBA-2023:1641 0 None None None 2023-04-05 02:58:32 UTC
Red Hat Product Errata RHBA-2023:1654 0 None None None 2023-04-05 12:31:02 UTC
Red Hat Product Errata RHBA-2023:1686 0 None None None 2023-04-11 11:24:19 UTC
Red Hat Product Errata RHBA-2023:1688 0 None None None 2023-04-11 13:11:37 UTC
Red Hat Product Errata RHBA-2023:1708 0 None None None 2023-04-11 14:49:50 UTC
Red Hat Product Errata RHBA-2023:1736 0 None None None 2023-04-11 21:35:13 UTC
Red Hat Product Errata RHBA-2023:1738 0 None None None 2023-04-12 12:46:59 UTC
Red Hat Product Errata RHBA-2023:1764 0 None None None 2023-04-12 21:25:13 UTC
Red Hat Product Errata RHBA-2023:1798 0 None None None 2023-04-17 01:50:47 UTC
Red Hat Product Errata RHBA-2023:1800 0 None None None 2023-04-17 13:18:31 UTC
Red Hat Product Errata RHBA-2023:1825 0 None None None 2023-04-18 16:52:51 UTC
Red Hat Product Errata RHBA-2023:1850 0 None None None 2023-04-18 21:30:17 UTC
Red Hat Product Errata RHBA-2023:1886 0 None None None 2023-04-19 19:40:45 UTC
Red Hat Product Errata RHBA-2023:1929 0 None None None 2023-04-24 01:45:00 UTC
Red Hat Product Errata RHBA-2023:2033 0 None None None 2023-04-26 18:29:07 UTC
Red Hat Product Errata RHBA-2023:2048 0 None None None 2023-04-27 13:25:46 UTC
Red Hat Product Errata RHBA-2023:2086 0 None None None 2023-05-02 18:14:57 UTC
Red Hat Product Errata RHBA-2023:2088 0 None None None 2023-05-03 02:30:42 UTC
Red Hat Product Errata RHBA-2023:2105 0 None None None 2023-05-03 22:06:01 UTC
Red Hat Product Errata RHBA-2023:2106 0 None None None 2023-05-03 22:25:45 UTC
Red Hat Product Errata RHBA-2023:4239 0 None None None 2023-07-20 15:31:50 UTC
Red Hat Product Errata RHSA-2023:0946 0 None None None 2023-02-28 08:18:02 UTC
Red Hat Product Errata RHSA-2023:1199 0 None None None 2023-03-14 13:52:49 UTC
Red Hat Product Errata RHSA-2023:1335 0 None None None 2023-03-20 09:40:02 UTC
Red Hat Product Errata RHSA-2023:1405 0 None None None 2023-03-22 10:33:38 UTC
Red Hat Product Errata RHSA-2023:1437 0 None None None 2023-03-23 10:55:53 UTC
Red Hat Product Errata RHSA-2023:1438 0 None None None 2023-03-23 11:05:59 UTC
Red Hat Product Errata RHSA-2023:1439 0 None None None 2023-03-23 11:04:45 UTC
Red Hat Product Errata RHSA-2023:1440 0 None None None 2023-03-23 11:06:42 UTC
Red Hat Product Errata RHSA-2023:1441 0 None None None 2023-03-23 11:07:34 UTC
Red Hat Product Errata RHSA-2023:2022 0 None None None 2023-04-26 08:07:10 UTC
Red Hat Product Errata RHSA-2023:2165 0 None None None 2023-05-09 07:13:17 UTC
Red Hat Product Errata RHSA-2023:2932 0 None None None 2023-05-16 08:29:39 UTC
Red Hat Product Errata RHSA-2023:3354 0 None None None 2023-06-05 11:50:59 UTC
Red Hat Product Errata RHSA-2023:3355 0 None None None 2023-06-05 11:47:09 UTC
Red Hat Product Errata RHSA-2023:3420 0 None None None 2023-06-05 13:56:10 UTC
Red Hat Product Errata RHSA-2023:3421 0 None None None 2023-06-05 14:16:40 UTC
Red Hat Product Errata RHSA-2023:4124 0 None None None 2023-07-18 07:44:51 UTC
Red Hat Product Errata RHSA-2023:4128 0 None None None 2023-07-18 08:19:41 UTC
Red Hat Product Errata RHSA-2023:4252 0 None None None 2023-07-25 07:52:56 UTC
Red Hat Product Errata RHSA-2023:5209 0 None None None 2023-09-19 01:08:51 UTC

Description Sandipan Roy 2023-01-25 14:49:57 UTC
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.

Comment 7 Zack Miele 2023-02-07 17:48:04 UTC
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2167867]
Affects: fedora-37 [bug 2167874]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2167868]
Affects: fedora-37 [bug 2167875]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2167869]
Affects: fedora-37 [bug 2167876]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2167870]
Affects: fedora-37 [bug 2167877]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2167865]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2167866]


Created shim tracking bugs for this issue:

Affects: fedora-36 [bug 2167871]
Affects: fedora-37 [bug 2167878]


Created shim-unsigned-aarch64 tracking bugs for this issue:

Affects: fedora-36 [bug 2167872]
Affects: fedora-37 [bug 2167879]


Created shim-unsigned-x64 tracking bugs for this issue:

Affects: fedora-36 [bug 2167873]
Affects: fedora-37 [bug 2167880]

Comment 8 Nikita Ivanov 2023-02-10 10:00:17 UTC
Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you have concluded this from Security Advisory, but source code of openssl shows that vulnerable piece of code seems to be present. Have you verified the source code or concluded vulnerability status from security advisory? If you have verified the source code, could you please explain what exactly makes you think that openssl is not vulnerable?

Comment 9 Nikita Ivanov 2023-02-10 10:00:55 UTC
Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you have concluded this from Security Advisory, but source code of openssl shows that vulnerable piece of code seems to be present. Have you verified the source code or concluded vulnerability status from security advisory? If you have verified the source code, could you please explain what exactly makes you think that openssl is not vulnerable?

Comment 10 Sandipan Roy 2023-02-10 10:07:25 UTC
(In reply to Nikita Ivanov from comment #9)
> Hi! As I see, you state that RHEL6 openssl is not affected. I suppose you
> have concluded this from Security Advisory, but source code of openssl shows
> that vulnerable piece of code seems to be present. Have you verified the
> source code or concluded vulnerability status from security advisory? If you
> have verified the source code, could you please explain what exactly makes
> you think that openssl is not vulnerable?

Hello Nikita,

We are not fixing that on RHEL-6, because as per internal policies, RHEL-6 is out of support scope.
And yes, It's vulnerable to this security flaw.

Thanks

Comment 21 errata-xmlrpc 2023-02-28 08:17:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0946 https://access.redhat.com/errata/RHSA-2023:0946

Comment 22 Sandra Carney 2023-03-02 21:08:16 UTC
Any plans to address it in RHEL8?

Comment 23 Sandipan Roy 2023-03-03 04:26:40 UTC
(In reply to Sandra Carney from comment #22)
> Any plans to address it in RHEL8?

RHSA-2023:109716 is already in Progress for RHEL-8.
Thanks.

Comment 24 Sandra Carney 2023-03-03 16:30:53 UTC
I checked the Errata don't see it.  Is that because it hasn't been published, yet.  Are you targeting RHEL8 with the fix?

Comment 25 Sandra Carney 2023-03-03 16:33:51 UTC
Sorry, I meant RHEL 8.8

Comment 27 errata-xmlrpc 2023-03-14 13:52:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1199 https://access.redhat.com/errata/RHSA-2023:1199

Comment 32 errata-xmlrpc 2023-03-20 09:39:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1335 https://access.redhat.com/errata/RHSA-2023:1335

Comment 33 Shankar narayanan R 2023-03-20 15:44:58 UTC
Hi, I meant to ask the patch as in a diff of the code. Is it possible to get it ?

Comment 35 Shankar narayanan R 2023-03-22 03:59:04 UTC
Thanks a lot @klaas

Comment 36 errata-xmlrpc 2023-03-22 10:33:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1405 https://access.redhat.com/errata/RHSA-2023:1405

Comment 37 errata-xmlrpc 2023-03-23 10:55:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1437 https://access.redhat.com/errata/RHSA-2023:1437

Comment 38 errata-xmlrpc 2023-03-23 11:04:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1439 https://access.redhat.com/errata/RHSA-2023:1439

Comment 39 errata-xmlrpc 2023-03-23 11:05:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2023:1438 https://access.redhat.com/errata/RHSA-2023:1438

Comment 40 errata-xmlrpc 2023-03-23 11:06:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1440 https://access.redhat.com/errata/RHSA-2023:1440

Comment 41 errata-xmlrpc 2023-03-23 11:07:29 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1441 https://access.redhat.com/errata/RHSA-2023:1441

Comment 43 Product Security DevOps Team 2023-03-23 15:46:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0286

Comment 47 errata-xmlrpc 2023-04-26 08:07:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:2022 https://access.redhat.com/errata/RHSA-2023:2022

Comment 48 errata-xmlrpc 2023-05-09 07:13:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2165 https://access.redhat.com/errata/RHSA-2023:2165

Comment 49 errata-xmlrpc 2023-05-16 08:29:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2932 https://access.redhat.com/errata/RHSA-2023:2932

Comment 50 errata-xmlrpc 2023-06-05 11:47:04 UTC
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355

Comment 51 errata-xmlrpc 2023-06-05 11:50:52 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354

Comment 52 errata-xmlrpc 2023-06-05 13:56:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:3420 https://access.redhat.com/errata/RHSA-2023:3420

Comment 53 errata-xmlrpc 2023-06-05 14:16:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:3421 https://access.redhat.com/errata/RHSA-2023:3421

Comment 54 errata-xmlrpc 2023-07-18 07:44:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4124 https://access.redhat.com/errata/RHSA-2023:4124

Comment 55 errata-xmlrpc 2023-07-18 08:19:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4128 https://access.redhat.com/errata/RHSA-2023:4128

Comment 56 errata-xmlrpc 2023-07-25 07:52:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4252 https://access.redhat.com/errata/RHSA-2023:4252

Comment 58 errata-xmlrpc 2023-09-19 01:08:44 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:5209 https://access.redhat.com/errata/RHSA-2023:5209


Note You need to log in before you can comment on or make changes to this bug.