CVE-2023-0464

CVSS V2 None CVSS V3 None

Description

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Overview

CVE ID
CVE-2023-0464

Assigner
openssl-security@openssl.org

Vulnerability Status
Analyzed

Published Version
2023-03-22T17:15:13

Last Modified Date
2023-03-29T19:37:35

Weakness Enumerations

CWE	URL
CWE-295	http://cwe.mitre.org/data/definitions/295.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:openssl:openssl::::::::	1	OR	1.0.2	1.0.2zh
cpe:2.3:a:openssl:openssl::::::::	1	OR	1.1.1	1.1.1u
cpe:2.3:a:openssl:openssl::::::::	1	OR	3.0.0	3.0.9
cpe:2.3:a:openssl:openssl::::::::	1	OR	3.1.0	3.1.1

References

Reference URL	Reference Tags
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545	Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b	Mailing List Patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1	Mailing List Patch
https://www.openssl.org/news/secadv/20230322.txt	Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-0464
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 03:11:17				Added to TrackCVE
2023-04-17 03:11:21			Weakness Enumeration	new