[Bugs] [Bug 13290] New: [CVE 21] openssl 1.1.1t CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:01:30 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13290

          Platform: 2021.1
            Bug ID: 13290
           Summary: [CVE 21] openssl 1.1.1t  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2016-7798, CVE-2016-8610, CVE-2018-16395,
                    CVE-2018-5407, CVE-2023-0464, CVE-2023-0465,
                    CVE-2023-0466,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package openssl version 1.1.1t

INFO (CVEs are): openssl 1.1.1t
 cves found
CVE-2016-7798
Desc: The openssl gem for Ruby uses the same initialization vector (IV) in GCM
Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for
context-dependent attackers to bypass the encryption protection mechanism.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-7798
Severity: HIGH
CVE-2016-8610
Desc: A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through
1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT
packets during a connection handshake. A remote attacker could use this flaw to
make a TLS/SSL server consume an excessive amount of CPU and fail to accept
connections from other clients.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-8610
Severity: HIGH
CVE-2018-16395
Desc: An issue was discovered in the OpenSSL library in Ruby before 2.3.8,
2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When
two OpenSSL::X509::Name objects are compared using ==, depending on the
ordering, non-equal objects may return true. When the first argument is one
character longer than the second, or the second argument contains a character
that is one less than a character in the same position of the first argument,
the result of == will be true. This could be leveraged to create an
illegitimate certificate that may be accepted as legitimate and then used in
signing or encryption operations.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-16395
Severity: CRITICAL
CVE-2018-5407
Desc: Simultaneous Multi-threading (SMT) in processors can enable local users
to exploit software vulnerable to timing attacks via a side-channel timing
attack on 'port contention'.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-5407
Severity: MEDIUM
CVE-2023-0464
Desc: A security vulnerability has been identified in all supported versions of
OpenSSL related to the verification of X.509 certificate chains that include
policy constraints. Attackers may be able to exploit this vulnerability by
creating a malicious certificate chain that triggers exponential use of
computational resources, leading to a denial-of-service (DoS) attack on
affected systems. Policy processing is disabled by default but can be enabled
by passing the `-policy' argument to the command line utilities or by calling
the `X509_VERIFY_PARAM_set1_policies()' function.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
Severity: HIGH
CVE-2023-0465
Desc: Applications that use a non-default option when verifying certificates
may be
vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by
OpenSSL and other certificate policy checks are skipped for that certificate.
A malicious CA could use this to deliberately assert invalid certificate
policies
in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0465
Severity: MEDIUM
CVE-2023-0466
Desc: The function X509_VERIFY_PARAM_add0_policy() is documented to
implicitly enable the certificate policy check when doing certificate
verification. However the implementation of the function does not
enable the check which allows certificates with invalid or incorrect
policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()
function.

Instead the applications that require OpenSSL to perform certificate
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with
the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not
commonly used by applications.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0466
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/2a368c44/attachment.html>

Подробная информация о списке рассылки Bugs