Bug 1216286 (CVE-2023-5422)

Summary: VUL-0: CVE-2023-5422: otrs: Certificates are not checked for E-Mail Handling
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: smash_bz, thomas.leroy
Version: Leap 15.6Flags: chris: needinfo? (smash_bz)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381964/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-16 15:08:18 UTC 
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via
SMTP use OpenSSL for static SSL or TLS based communication. As the 
SSL_get_verify_result() function is not used the certificated is trusted always
and it can not be ensured that the certificate 
satisfies all necessary security requirements.

This could allow an 
attacker to use an invalid certificate to claim to be a trusted host, 
use expired certificates, or conduct other attacks that could be 
detected if the certificate is properly validated.

This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37;
((OTRS)) Community Edition: from 6.0.X through 6.0.34.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5422
Comment 1 Thomas Leroy 2023-10-16 15:08:43 UTC 
Backports codestreams are affected.
Comment 2 Christian Wittmer 2023-10-17 08:19:12 UTC 
OTRS 6 is not supported anymore. And there won't be fixes anymore.
There are to alternatives for Users:
- migration to OTRS community fork _otobo_
  http://download.opensuse.org/repositories/Application:/ITS:/otobo/
- going ahead with paid versions (7 or 8) of OTRS.