{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2023-007.pdf" }, "title": "High Severity Vulnerability in OpenSSL", "serial_number": "2023-007", "publish_date": "08-02-2023 17:20:00", "description": "On February 7, the OpenSSL project team has released a major security update to address 8 vulnerabilities. One vulnerability, tracked as CVE-2023-0286 and rated as High, may allow a remote attacker to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service.", "url_title": "2023-007", "content_markdown": "---\ntitle: 'High Severity Vulnerability in OpenSSL'\nversion: '1.0'\nnumber: '2023-007'\noriginal_date: 'February 8, 2023'\ndate: 'February 8, 2023'\n---\n\n_History:_\n\n* _08/02/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn February 7, the OpenSSL project team has released a major security update to address 8 vulnerabilities. One vulnerability, tracked as **CVE-2023-0286** and rated as **High**, may allow a remote attacker to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service [1].\n\n# Technical Details\n\nThe `CVE-2023-0286` is a type confusion vulnerability relating to `X.400` address processing inside an `X.509 GeneralName`. When CRL checking is enabled, this vulnerability may allow an attacker to pass arbitrary pointers to a `memcmp` call, enabling them to read memory contents or enact a denial of service.\n\nTo exploit the vulnerability, an attacker would need to provide both the certificate chain and CRL, neither of which need to have a valid signature.\n\nThis vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.\n\n# Affected Products\n\nOpenSSL versions 3.0, 1.1.1 and 1.0.2.\n\n# Recommendations\n\nCERT-EU recommends applying the available upgrades [1]:\n\n- OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8\n- OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1t\n- OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zg (premium support customers only)\n\n# References\n\n[1] \n", "content_html": "

History:

Summary

On February 7, the OpenSSL project team has released a major security update to address 8 vulnerabilities. One vulnerability, tracked as CVE-2023-0286 and rated as High, may allow a remote attacker to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service [1].

Technical Details

The CVE-2023-0286 is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. When CRL checking is enabled, this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service.

To exploit the vulnerability, an attacker would need to provide both the certificate chain and CRL, neither of which need to have a valid signature.

This vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Affected Products

OpenSSL versions 3.0, 1.1.1 and 1.0.2.

Recommendations

CERT-EU recommends applying the available upgrades [1]:

References

[1] https://www.openssl.org/news/secadv/20230207.txt

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }