CVE-2023-0464

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
opensslCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
< 1.0.2zh
opensslopenssl
1.1.1 ≤
𝑥
< 1.1.1u
opensslopenssl
3.0.0 ≤
𝑥
< 3.0.9
opensslopenssl
3.1.0 ≤
𝑥
< 3.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.15-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
trixie
3.3.2-2
fixed
sid
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
oracular
not-affected
noble
not-affected
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
focal
needed
bionic
needs-triage
xenial
needs-triage
trusty
ignored
nodejs
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
needed
focal
not-affected
bionic
needs-triage
xenial
needs-triage
trusty
not-affected
openssl
oracular
Fixed 3.0.8-1ubuntu2
released
noble
Fixed 3.0.8-1ubuntu2
released
mantic
Fixed 3.0.8-1ubuntu2
released
lunar
Fixed 3.0.8-1ubuntu1.1
released
kinetic
Fixed 3.0.5-2ubuntu2.2
released
jammy
Fixed 3.0.2-0ubuntu1.9
released
focal
Fixed 1.1.1f-1ubuntu2.18
released
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.22
released
xenial
Fixed 1.0.2g-1ubuntu4.20+esm7
released
trusty
Fixed 1.0.1f-1ubuntu2.27+esm7
released
openssl1.0
kinetic
dne
jammy
dne
focal
dne
bionic
Fixed 1.0.2n-1ubuntu5.12
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
https://security.gentoo.org/glsa/202402-08
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.couchbase.com/alerts/
https://www.debian.org/security/2023/dsa-5417
https://www.openssl.org/news/secadv/20230322.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
https://security.gentoo.org/glsa/202402-08
https://security.netapp.com/advisory/ntap-20230406-0006/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.couchbase.com/alerts/
https://www.debian.org/security/2023/dsa-5417
https://www.openssl.org/news/secadv/20230322.txt