Bugzilla – Bug 1209624
VUL-0: CVE-2023-0464: openssl,openssl-1_0_0,compat-openssl098,openssl1,openssl-3,openssl-1_1: Excessive Resource Usage Verifying X.509 Policy Constraints
Last modified: 2024-05-06 08:44:00 UTC
CVE-2023-0464 https://www.openssl.org/news/secadv/20230322.txt Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) =========================================================================== Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. The fix is also available in commit 2017771e (for 3.1), commit 959c59c7 (for 3.0), commit 879f7080 (for 1.1.1) in the OpenSSL git repository, and commit 2dcd4f1e (for 1.0.2) in the OpenSSL git repository for premium customers. Once they are released: OpenSSL 3.1 users should upgrade to 3.1.1. OpenSSL 3.0 users should upgrade to 3.0.9. OpenSSL 1.1.1 users should upgrade to 1.1.1u. OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support customers only). This issue was reported on 12th January 2023 by David Benjamin (Google). The fix was developed by Dr Paul Dale. OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security fixes for 1.1.1 will only be available to premium support customers. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20230322.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html
openssl-1_1 upstream commits: * https://github.com/openssl/openssl/commit/879f708 * https://github.com/openssl/openssl/commit/b44a67c * https://github.com/openssl/openssl/commit/fa425f2 I'm assigning the bug to Otto.
openssl-3 upstream commits for 3.0: * https://github.com/openssl/openssl/commit/959c59c * https://github.com/openssl/openssl/commit/2a35fdc * https://github.com/openssl/openssl/commit/f8fe66e
seems to affect all openssl versions. likely also 0.9.8
This is an autogenerated message for OBS integration: This bug (1209624) was mentioned in https://build.opensuse.org/request/show/1074722 Factory / openssl-1_1 https://build.opensuse.org/request/show/1074723 Factory / openssl-1_0_0
All codestreams were affected and all supported codestreams were fixed/submitted: > Codestream Package Request > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:GA openssl-3 https://build.suse.de/request/show/293238 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/293239 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1074930 > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:GA openssl-1_1 https://build.suse.de/request/show/293240 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/293241 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/293242 > SUSE:SLE-15-SP1:Update openssl-1_1 https://build.suse.de/request/show/293243 > SUSE:SLE-12-SP4:Update openssl-1_1 https://build.suse.de/request/show/293244 > openSUSE:Factory openssl-1_1 https://build.opensuse.org/request/show/1074722 > ------------------------------------------------------------------------------------ > SUSE:SLE-15:Update openssl-1_0_0 https://build.suse.de/request/show/293246 > SUSE:SLE-12-SP4:Update openssl-1_0_0 https://build.suse.de/request/show/293247 > SUSE:SLE-12-SP2:Update openssl https://build.suse.de/request/show/293274 > SUSE:SLE-11-SP3:Update openssl1 https://build.suse.de/request/show/293248 > openSUSE:Factory openssl-1_0_0 https://build.opensuse.org/request/show/1074723 > ------------------------------------------------------------------------------------ > SUSE:SLE-12:Update compat-openssl098 https://build.suse.de/request/show/293249 > SUSE:SLE-11-SP1:Update openssl https://build.suse.de/request/show/293251 Accepting openssl-3 in Factory will take some time because we are dealing with build failures caused by version upgrade from 3.0.8 to 3.1.0
This is an autogenerated message for OBS integration: This bug (1209624) was mentioned in https://build.opensuse.org/request/show/1075557 Factory / openssl-3
SUSE-SU-2023:1704-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1202062, 1209624 CVE References: CVE-2023-0464 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.69.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.69.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1703-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (moderate) Bug References: 1202062, 1209624 CVE References: CVE-2023-0464 Sources used: openSUSE Leap 15.4 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 Legacy Module 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE Enterprise Storage 7 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 SUSE CaaS Platform 4.0 (src): openssl-1_0_0-1.0.2p-150000.3.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1738-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssl-1.0.2j-60.89.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1737-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: Legacy Module 12 (src): compat-openssl098-0.9.8j-106.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): compat-openssl098-0.9.8j-106.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): compat-openssl098-0.9.8j-106.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1748-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.45.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.45.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_1-1.1.0i-150100.14.45.1 SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.45.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1747-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.78.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.78.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.78.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1746-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: openSUSE Leap 15.4 (src): openssl-3-3.0.1-150400.4.20.1 Basesystem Module 15-SP4 (src): openssl-3-3.0.1-150400.4.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1745-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.31.2 openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.31.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.31.2 SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.31.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.31.2 SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.31.2 Basesystem Module 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.31.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
*** Bug 1210039 has been marked as a duplicate of this bug. ***
SUSE-SU-2023:1754-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.59.1 SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.59.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1764-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1209624 CVE References: CVE-2023-0464 Sources used: SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl-0.9.8j-0.106.63.1 SUSE Linux Enterprise Server 11 SP4 (src): openssl-0.9.8j-0.106.63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1790-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1209624, 1209873, 1209878 CVE References: CVE-2023-0464, CVE-2023-0465, CVE-2023-0466 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Real Time 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.62.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1209624) was mentioned in https://build.opensuse.org/request/show/1089933 Factory / openssl-3
All requests were accepted, assigning back to security team.
done, closing