CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
55.0%
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the βnameβ (e.g. βCERTIFICATEβ), any header data and the payload
data. If the function succeeds then the βname_outβ, βheaderβ and βdataβ
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash. This could be exploited by an attacker
who has the ability to supply malicious PEM files for parsing to achieve a
denial of service attack. The functions PEM_read_bio() and PEM_read() are
simple wrappers around PEM_read_bio_ex() and therefore these functions are
also directly affected. These functions are also called indirectly by a
number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
These locations include the PEM_read_bio_TYPE() functions as well as the
decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line
application is also impacted by this issue.
Author | Note |
---|---|
mdeslaur | 1.0.2 is not affected |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | edk2 | <Β any | UNKNOWN |
ubuntu | 20.04 | noarch | edk2 | <Β any | UNKNOWN |
ubuntu | 22.04 | noarch | edk2 | <Β any | UNKNOWN |
ubuntu | 16.04 | noarch | edk2 | <Β any | UNKNOWN |
ubuntu | 22.04 | noarch | nodejs | <Β 12.22.9~dfsg-1ubuntu3.3 | UNKNOWN |
ubuntu | 18.04 | noarch | openssl | <Β 1.1.1-1ubuntu2.1~18.04.21 | UNKNOWN |
ubuntu | 20.04 | noarch | openssl | <Β 1.1.1f-1ubuntu2.17 | UNKNOWN |
ubuntu | 22.04 | noarch | openssl | <Β 3.0.2-0ubuntu1.8 | UNKNOWN |
ubuntu | 22.10 | noarch | openssl | <Β 3.0.5-2ubuntu2.1 | UNKNOWN |
ubuntu | 23.04 | noarch | openssl | <Β 3.0.8-1ubuntu1 | UNKNOWN |