Skip to content

OpenSSL patch fixes 1 critical and 7 moderate vulnerabilities

  • by
  • 2 min read
NordVPN confirms that one of its datacenters was hacked

OpenSSL has released three patches for versions 3.0, 1.1.1 and 1.0.2, covering the two open-source and one legacy libraries fixing a total of eight vulnerabilities. Seven of these vulnerabilities were caused by memory mismanagement while the eighth is a timing bug.

Developers currently using the aforementioned libraries are advised to update to versions 3.0.8, 1.1.1t and 1.0.2zg respectively. The version 1.0.2zg update is only available for premium support customers.

The most severe of the eight vulnerabilities, CVE-2023-0286, allows an attacker to pass an arbitrary pointer to a memcmp call, eventually letting them read memory content or carry out a DoS attack. That said, the attack requires the certificate chain and CRL in most cases, neither of which need to have a valid signature.

Even if the attacker has access to one of these inputs, the other will automatically contain an X.400 address as a CRL distribution point. Considering this requirement for exploitation, the vulnerability is most likely to affect applications that implement their own functionality for fetching CRLs over a network.

Most of the other seven vulnerabilities lead to a DoS attack by tying up one process or the other on the server eventually causing a crash. However, some vulnerabilities like CVE-2022-4203 and CVE-2022-4304 can also cause data leaks, at least in theory.

Details of all eight vulnerabilities are as follows.

CVE identifierSeverity ratingDescriptionVersions affected
CVE-2023-0286High severityX.400 address type confusion in X.509 GeneralName3.0, 1.0.1 and 1.0.2
CVE-2023-0215Moderate severityUse-after-free following BIO_new_NDEF3.0, 1.1.1 and 1.0.2
CVE-2022-4450Moderate severityDouble free after calling PEM_read_bio_ex3.0 and 1.1.1
CVE-2022-4203Moderate severityX.509 Name Constraints Read Buffer Overflow3.0.0 to 3.0.7
CVE-2023-0216Moderate severityInvalid pointer dereference in d2i_PKCS7 functions3.0.0 to 3.0.7
CVE-2023-0217Moderate severityNULL dereference validating DSA public key3.0.0 to 3.0.7
CVE-2023-0401Moderate severityNULL dereference during PKCS7 data verification3.0.0 to 3.0.7
CVE-2022-4304Moderate severityTiming Oracle in RSA Decryption3.0, 1.0.1 and 1.0.2

In the News: Bing and Edge are now powered by upgraded ChatGPT

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>