Bugzilla – Bug 1211430
VUL-0: CVE-2023-2650: openssl-3,openssl-1_1,compat-openssl098,openssl1,openssl-1_0_0,openssl: Possible DoS translating ASN.1 object identifiers
Last modified: 2024-05-07 11:37:52 UTC
CRD: 2023-05-30
0.9.8 has the same code, so its also affeected I assume.
is public From: Tomas Mraz <tomas@openssl.org> Date: Tue, 30 May 2023 13:49:33 +0000 Subject: [oss-security] OpenSSL Security Advisory OpenSSL Security Advisory [30th May 2023] ========================================= Possible DoS translating ASN.1 object identifiers (CVE-2023-2650) ================================================================= Severity: Moderate Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. No version of the FIPS provider is affected by this issue. OpenSSL 3.0.x and 3.1.x are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 users may be affected by this issue when calling OBJ_obj2txt() directly. OpenSSL 3.0 users should upgrade to OpenSSL 3.0.9. OpenSSL 3.1 users should upgrade to OpenSSL 3.1.1. OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1u. OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zh (premium support customers only). OSSfuzz first detected and automatically reported this issue on 16th January 2020. At that time OpenSSL 3.0 was still in early development and it was not identified as a security concern at that time. On 23rd April 2023 the issue was reexamined and identified as a security issue by Matt Caswell. The fix was developed by Richard Levitte. (*) A measurement showed about 2 seconds for 100KiB and a minute for 500KiB. This measurement wasn't made to demonstrate exact time ranges, but rather to demonstrate the quadratic nature of the issue. General Advisory Notes ====================== URL for this Security Advisory: https://www.openssl.org/news/secadv/20230530.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/general/security-policy.html
SUSE-SU-2023:2332-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): openssl-1.0.2j-60.95.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2331-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: openSUSE Leap 15.4 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 openSUSE Leap 15.5 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 Legacy Module 15-SP4 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 Legacy Module 15-SP5 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Enterprise Storage 7.1 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE Enterprise Storage 7 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 SUSE CaaS Platform 4.0 (src): openssl-1_0_0-1.0.2p-150000.3.76.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2330-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_0_0-1.0.2p-3.75.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_0_0-1.0.2p-3.75.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2329-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: Legacy Module 12 (src): compat-openssl098-0.9.8j-106.51.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): compat-openssl098-0.9.8j-106.51.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): compat-openssl098-0.9.8j-106.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2328-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: SUSE OpenStack Cloud 9 (src): openssl-1_1-1.1.1d-2.84.1 SUSE OpenStack Cloud Crowbar 9 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Server 12 SP5 (src): openssl-1_1-1.1.1d-2.84.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): openssl-1_1-1.1.1d-2.84.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2327-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.51.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): openssl-1_1-1.1.0i-150100.14.51.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): openssl-1_1-1.1.0i-150100.14.51.1 SUSE CaaS Platform 4.0 (src): openssl-1_1-1.1.0i-150100.14.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Build/test failure is caused by expired certificate(s): > openssl x509 -in test/smime-certs/smrsa1.pem -text -noout | grep After > Not After : May 26 17:28:30 2023 GMT And affects probably all OpenSSL 1.1.x code streams and some 1.0.x.
This is an autogenerated message for OBS integration: This bug (1211430) was mentioned in https://build.opensuse.org/request/show/1089933 Factory / openssl-3
This is an autogenerated message for OBS integration: This bug (1211430) was mentioned in https://build.opensuse.org/request/show/1089973 Factory / openssl-1_1 https://build.opensuse.org/request/show/1089985 Factory / openssl-1_0_0
All affected code streams submitted: > Codestream Package Request > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:Update openssl-3 https://build.suse.de/request/show/300180 > SUSE:SLE-15-SP4:Update openssl-3 https://build.suse.de/request/show/300182 > openSUSE:Factory openssl-3 https://build.opensuse.org/request/show/1089933 > openSUSE:Factory openssl https://build.opensuse.org/request/show/1089934 > ------------------------------------------------------------------------------------ > SUSE:SLE-15-SP5:Update openssl-1_1 https://build.suse.de/request/show/300183 > SUSE:SLE-15-SP4:Update openssl-1_1 https://build.suse.de/request/show/299805 > SUSE:SLE-15-SP2:Update openssl-1_1 https://build.suse.de/request/show/299804 > SUSE:SLE-15-SP1:Update openssl-1_1 https://build.suse.de/request/show/299803 > SUSE:SLE-12-SP4:Update openssl-1_1 https://build.suse.de/request/show/299802 > openSUSE:Factory openssl-1_1 https://build.opensuse.org/request/show/1089973 > ------------------------------------------------------------------------------------ > SUSE:SLE-15:Update openssl-1_0_0 https://build.suse.de/request/show/299801 > SUSE:SLE-12-SP4:Update openssl-1_0_0 https://build.suse.de/request/show/299800 > SUSE:SLE-12-SP2:Update openssl https://build.suse.de/request/show/299799 > SUSE:SLE-11-SP3:Update openssl1 https://build.suse.de/request/show/299798 > openSUSE:Factory openssl-1_0_0 https://build.opensuse.org/request/show/1089985 > ------------------------------------------------------------------------------------ > SUSE:SLE-12:Update compat-openssl098 https://build.suse.de/request/show/299797 > SUSE:SLE-11-SP1:Update openssl https://build.suse.de/request/show/299796 Details about build/test failure that I mentioned in comment #18 can be found here bsc#1201627 I had to resubmit almost all code streams.
SUSE-SU-2023:2343-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Real Time 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Manager Proxy 4.2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Manager Retail Branch Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Manager Server 4.2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Enterprise Storage 7.1 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Enterprise Storage 7 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Micro 5.1 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Micro 5.2 (src): openssl-1_1-1.1.1d-150200.11.65.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): openssl-1_1-1.1.1d-150200.11.65.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2342-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1211430 CVE References: CVE-2023-2650 Sources used: openSUSE Leap Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.37.1 openSUSE Leap 15.4 (src): openssl-1_1-1.1.1l-150400.7.37.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): openssl-1_1-1.1.1l-150400.7.37.1 SUSE Linux Enterprise Micro 5.3 (src): openssl-1_1-1.1.1l-150400.7.37.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): openssl-1_1-1.1.1l-150400.7.37.1 SUSE Linux Enterprise Micro 5.4 (src): openssl-1_1-1.1.1l-150400.7.37.1 Basesystem Module 15-SP4 (src): openssl-1_1-1.1.1l-150400.7.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2471-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1201627, 1211430 CVE References: CVE-2023-2650 Sources used: SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl1-1.0.1g-0.58.67.1 SUSE Linux Enterprise Server 11 SP4 (src): openssl1-1.0.1g-0.58.67.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2470-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1205476, 1210714, 1211430 CVE References: CVE-2022-40735, CVE-2023-1255, CVE-2023-2650 Sources used: Basesystem Module 15-SP4 (src): openssl-3-3.0.8-150400.4.26.1 openSUSE Leap 15.4 (src): openssl-3-3.0.8-150400.4.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2469-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1201627, 1211430 CVE References: CVE-2023-2650 Sources used: SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE 11-SP4 (src): openssl-0.9.8j-0.106.71.1 SUSE Linux Enterprise Server 11 SP4 (src): openssl-0.9.8j-0.106.71.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
ALP synced with Factory: openssl-3 https://build.suse.de/request/show/301665 openssl-1_1 https://build.suse.de/request/show/301666 openssl (meta) https://build.suse.de/request/show/301667
SUSE-SU-2023:29171-1: An update that solves two vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1201627, 1207534, 1211430 CVE References: CVE-2022-4304, CVE-2023-2650 Sources used: openSUSE Leap 15.5 (src): openssl-1_1-1.1.1l-150500.17.6.1 Basesystem Module 15-SP5 (src): openssl-1_1-1.1.1l-150500.17.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2620-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1210714, 1211430 CVE References: CVE-2023-1255, CVE-2023-2650 Sources used: openSUSE Leap 15.5 (src): openssl-3-3.0.8-150500.5.3.1 Basesystem Module 15-SP5 (src): openssl-3-3.0.8-150500.5.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Assigning back to security team.
done, closing