Lucene search
AlmaLinuxALSA-2023:3722HistoryJun 21, 2023 - 12:00 a.m.
Moderate: openssl security and bug fix update
2023-06-2100:00:00
errata.almalinux.org
65
openssl
secure sockets layer
transport layer security
dos
resource usage
x509 policy constraints
leaf certificates
fips mode
hash algorithms
aes-gcm
rsa encryption
dhx keys
ecdsa_do_sign
tls 1.2
ibmc engine
core dump
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.004
Percentile
72.6%
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)
- openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)
- openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)
- openssl: Certificate policy check not enabled (CVE-2023-0466)
- openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- In FIPS mode, openssl KDFs should only allow selected hash algorithms (BZ#2175860)
- In FIPS mode, openssl should reject short KDF input or output keys or provide an indicator (BZ#2175864)
- In FIPS mode, openssl should provide an indicator for AES-GCM to query whether the IV was generated internally or provided externally (BZ#2175868)
- openssl FIPS mode self-test should zeroize
outinverify_integrityin providers/fips/self_test.c (BZ#2175873) - In FIPS mode, openssl should not support RSA encryption or decryption without padding (outside of RSASVE) or provide an indicator (BZ#2178029)
- In FIPS mode, openssl should reject EVP_PKEY_fromdata() for short DHX keys, or provide an indicator (BZ#2178030)
- In FIPS mode, openssl should not use the legacy ECDSA_do_sign(), RSA_public_encrypt(), RSA_private_decrypt() functions for pairwise consistency tests (BZ#2178034)
- In FIPS mode, openssl should enter error state when DH PCT fails (BZ#2178039)
- In FIPS mode, openssl should always run the PBKDF2 lower bounds checks or provide an indicator when the pkcs5 parameter is set to 1 (BZ#2178137)
- Support requiring EMS in TLS 1.2, default to it when in FIPS mode (BZ#2188046)
- OpenSSL rsa_verify_recover doesn’t use the same key checks as rsa_verify in FIPS mode (BZ#2188052)
- AlmaLinux9.0 - sshd dumps core when ibmca engine is configured with default_algorithms = CIPHERS or ALL (openssl) (BZ#2211396)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| almalinux | 9 | i686 | openssl-devel | < 3.0.7-16.el9_2 | openssl-devel-3.0.7-16.el9_2.i686.rpm |
| almalinux | 9 | aarch64 | openssl-devel | < 3.0.7-16.el9_2 | openssl-devel-3.0.7-16.el9_2.aarch64.rpm |
| almalinux | 9 | aarch64 | openssl-perl | < 3.0.7-16.el9_2 | openssl-perl-3.0.7-16.el9_2.aarch64.rpm |
| almalinux | 9 | x86_64 | openssl-devel | < 3.0.7-16.el9_2 | openssl-devel-3.0.7-16.el9_2.x86_64.rpm |
| almalinux | 9 | x86_64 | openssl-perl | < 3.0.7-16.el9_2 | openssl-perl-3.0.7-16.el9_2.x86_64.rpm |
| almalinux | 9 | s390x | openssl-perl | < 3.0.7-16.el9_2 | openssl-perl-3.0.7-16.el9_2.s390x.rpm |
| almalinux | 9 | s390x | openssl-devel | < 3.0.7-16.el9_2 | openssl-devel-3.0.7-16.el9_2.s390x.rpm |
| almalinux | 9 | ppc64le | openssl-perl | < 3.0.7-16.el9_2 | openssl-perl-3.0.7-16.el9_2.ppc64le.rpm |
| almalinux | 9 | ppc64le | openssl-devel | < 3.0.7-16.el9_2 | openssl-devel-3.0.7-16.el9_2.ppc64le.rpm |
| almalinux | 9 | i686 | openssl-libs | < 3.0.7-16.el9_2 | openssl-libs-3.0.7-16.el9_2.i686.rpm |
References
access.redhat.com/errata/RHSA-2023:3722
access.redhat.com/security/cve/CVE-2023-0464
access.redhat.com/security/cve/CVE-2023-0465
access.redhat.com/security/cve/CVE-2023-0466
access.redhat.com/security/cve/CVE-2023-1255
access.redhat.com/security/cve/CVE-2023-2650
bugzilla.redhat.com/2181082
bugzilla.redhat.com/2182561
bugzilla.redhat.com/2182565
bugzilla.redhat.com/2188461
bugzilla.redhat.com/2207947
errata.almalinux.org/9/ALSA-2023-3722.html
Related
nessus
nessus
Oracle Linux 9 : openssl (ELSA-2023-12768)
2023-09-01 00:00:00
Oracle Linux 9 : openssl (ELSA-2023-3722)
2023-06-22 00:00:00
RHEL 9 : openssl (RHSA-2023:3722)
2023-06-22 00:00:00
osv
osv
Moderate: openssl security and bug fix update
2023-06-21 00:00:00
openssl - security update
2023-06-08 00:00:00
openssl - security update
2023-05-31 00:00:00
openvas
openvas
Fedora: Security Advisory for openssl (FEDORA-2023-026c8ba371)
2023-06-04 00:00:00
oraclelinux
oraclelinux
openssl security and bug fix update
2023-06-22 00:00:00
openssl security update
2023-08-31 00:00:00
fedora
fedora
[SECURITY] Fedora 38 Update: openssl-3.0.9-1.fc38
2023-06-03 02:46:16
[SECURITY] Fedora 37 Update: openssl-3.0.9-1.fc37
2023-06-04 01:24:09
redhat
redhat
amazon
amazon
Medium: openssl
2023-06-05 16:39:00
Medium: openssl
2023-06-05 16:39:00
Medium: openssl11
2023-05-11 17:49:00
debian
debian
[SECURITY] [DLA 3449-1] openssl security update
2023-06-08 16:32:36
[SECURITY] [DSA 5417-1] openssl security update
2023-05-31 14:50:37
ibm
ibm
rosalinux
rosalinux
Advisory ROSA-SA-2024-2366
2024-03-05 08:46:27
ubuntu
ubuntu
OpenSSL vulnerabilities
2023-04-25 00:00:00
OpenSSL vulnerabilities
2023-05-30 00:00:00
cloudfoundry
cloudfoundry
USN-6039-1: OpenSSL vulnerabilities | Cloud Foundry
2023-06-30 00:00:00
USN-6119-1: OpenSSL vulnerabilities | Cloud Foundry
2023-06-30 00:00:00
f5
f5
K000134574 : OpenSSL vulnerabilities CVE-2023-0465 and CVE-2023-0466
2023-05-11 00:00:00
K000133752 : OpenSSL vulnerability CVE-2023-1255
2023-05-01 00:00:00
freebsd
freebsd
OpenSSL -- Multiple vulnerabilities
2023-03-28 00:00:00
Python -- multiple vulnerabilities
2022-06-08 00:00:00
OpenSSL -- Possible DoS translating ASN.1 identifiers
2023-05-30 00:00:00
aix
aix
Multiple vulnerabilities in OpenSSL affect AIX
2023-09-11 10:43:54
photon
photon
Important Photon OS Security Update - PHSA-2023-5.0-0034
2023-06-21 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0594
2023-06-08 00:00:00
cloudlinux
cloudlinux
openssl: Fix of 3 CVEs
2023-05-04 21:42:17
openssl: Fix of CVE-2023-2650
2023-06-20 13:49:26
cgr
cgr
CVE-2023-1255 vulnerabilities
2024-05-19 03:07:16
cvelist
cvelist
CVE-2023-2650 Possible DoS translating ASN.1 object identifiers
2023-05-30 13:40:11
ics
ics
Siemens SCALANCE XM-400, XR-500
2024-06-13 12:00:00
mageia
mageia
Updated openssl packages fix security vulnerability
2023-06-08 22:34:59
cbl_mariner
cbl_mariner
CVE-2023-2650 affecting package openssl 1.1.1k-15
2023-06-27 21:25:25
nvd
nvd
CVE-2023-2650
2023-05-30 14:15:09
veracode
veracode
Denial Of Services (DoS)
2023-05-15 06:35:51
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
0.004
Percentile
72.6%
Related for ALSA-2023:3722