OpenSSL has released three patches for versions 3.0, 1.1.1 and 1.0.2, covering the two open-source and one legacy libraries fixing a total of eight vulnerabilities. Seven of these vulnerabilities were caused by memory mismanagement while the eighth is a timing bug.
Developers currently using the aforementioned libraries are advised to update to versions 3.0.8, 1.1.1t and 1.0.2zg respectively. The version 1.0.2zg update is only available for premium support customers.
The most severe of the eight vulnerabilities, CVE-2023-0286, allows an attacker to pass an arbitrary pointer to a memcmp call, eventually letting them read memory content or carry out a DoS attack. That said, the attack requires the certificate chain and CRL in most cases, neither of which need to have a valid signature.
Even if the attacker has access to one of these inputs, the other will automatically contain an X.400 address as a CRL distribution point. Considering this requirement for exploitation, the vulnerability is most likely to affect applications that implement their own functionality for fetching CRLs over a network.
Most of the other seven vulnerabilities lead to a DoS attack by tying up one process or the other on the server eventually causing a crash. However, some vulnerabilities like CVE-2022-4203 and CVE-2022-4304 can also cause data leaks, at least in theory.
Details of all eight vulnerabilities are as follows.
| CVE identifier | Severity rating | Description | Versions affected |
|---|---|---|---|
| CVE-2023-0286 | High severity | X.400 address type confusion in X.509 GeneralName | 3.0, 1.0.1 and 1.0.2 |
| CVE-2023-0215 | Moderate severity | Use-after-free following BIO_new_NDEF | 3.0, 1.1.1 and 1.0.2 |
| CVE-2022-4450 | Moderate severity | Double free after calling PEM_read_bio_ex | 3.0 and 1.1.1 |
| CVE-2022-4203 | Moderate severity | X.509 Name Constraints Read Buffer Overflow | 3.0.0 to 3.0.7 |
| CVE-2023-0216 | Moderate severity | Invalid pointer dereference in d2i_PKCS7 functions | 3.0.0 to 3.0.7 |
| CVE-2023-0217 | Moderate severity | NULL dereference validating DSA public key | 3.0.0 to 3.0.7 |
| CVE-2023-0401 | Moderate severity | NULL dereference during PKCS7 data verification | 3.0.0 to 3.0.7 |
| CVE-2022-4304 | Moderate severity | Timing Oracle in RSA Decryption | 3.0, 1.0.1 and 1.0.2 |
In the News: Bing and Edge are now powered by upgraded ChatGPT
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.
You can contact him here: [email protected]
