CVE-2023-0464
Published: 22 March 2023
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Priority
Status
Package | Release | Status |
---|---|---|
edk2 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needed
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needed
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Not vulnerable
(uses system openssl)
|
|
jammy |
Needed
|
|
kinetic |
Not vulnerable
(uses system openssl)
|
|
lunar |
Not vulnerable
(uses system openssl)
|
|
mantic |
Not vulnerable
(uses system openssl)
|
|
trusty |
Not vulnerable
(uses system openssl)
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
openssl Launchpad, Ubuntu, Debian |
bionic |
Released
(1.1.1-1ubuntu2.1~18.04.22)
|
focal |
Released
(1.1.1f-1ubuntu2.18)
|
|
jammy |
Released
(3.0.2-0ubuntu1.9)
|
|
kinetic |
Released
(3.0.5-2ubuntu2.2)
|
|
lunar |
Released
(3.0.8-1ubuntu1.1)
|
|
mantic |
Released
(3.0.8-1ubuntu2)
|
|
trusty |
Released
(1.0.1f-1ubuntu2.27+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(3.0.9, 1.1.1u)
|
|
xenial |
Released
(1.0.2g-1ubuntu4.20+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1 |
||
openssl1.0 Launchpad, Ubuntu, Debian |
bionic |
Released
(1.0.2n-1ubuntu5.12)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |