OpenSSL patches multiple vulnerabilities (1 rated High severity)

OpenSSL has released a security update with fixes for one High risk vulnerability (CVE-2023-0286) and multiple other Moderate severity vulnerabilities.

An attacker could exploit these vulnerabilities to take over impacted systems.

OpenSSL is a software library for applications used to secure communications over the internet and is widely used by the majority of internet-facing HTTPS websites.

The most severe issue of the eight total patches include X.400 address type confusion in X.509 GeneralName vulnerability (CVE-2023-0286).

“There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING,” OpenSSL wrote in a recent advisory.

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Moreover, OpenSSL also addressed the following seven vulnerabilities, each rated Moderate severity:

  1. CVE-2022-4304: Timing Oracle in RSA Decryption
  2. CVE-2022-4203: X.509 Name Constraints Read Buffer Overflow
  3. CVE-2023-0215: Use-after-free following BIO_new_NDEF
  4. CVE-2022-4450: Double free after calling PEM_read_bio_ex
  5. CVE-2023-0216: Invalid pointer dereference in d2i_PKCS7 functions
  6. CVE-2023-0217: NULL dereference validating DSA public key
  7. CVE-2023-0401: NULL dereference during PKCS7 data verification.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.8.

In addition, users running other vulnerable versions of OpenSSL software (e.g., 1.0.2, 1.1.1) should also upgrade to appropriate version as noted in the advisory.

Related Articles