CVE-2023-0465
Published: 28 March 2023
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Notes
| Author | Note |
|---|---|
| ccdm94 | This CVE was omitted from the changelog of the updates listed below for packages openssl and openssl1.0. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
edk2 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needed
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Not vulnerable
(uses system openssl)
|
|
| jammy |
Needed
|
|
| kinetic |
Not vulnerable
(uses system openssl)
|
|
| lunar |
Not vulnerable
(uses system openssl)
|
|
| mantic |
Not vulnerable
(uses system openssl)
|
|
| trusty |
Not vulnerable
(uses system openssl)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
openssl Launchpad, Ubuntu, Debian |
bionic |
Released
(1.1.1-1ubuntu2.1~18.04.22)
|
| focal |
Released
(1.1.1f-1ubuntu2.18)
|
|
| jammy |
Released
(3.0.2-0ubuntu1.9)
|
|
| kinetic |
Released
(3.0.5-2ubuntu2.2)
|
|
| lunar |
Released
(3.0.8-1ubuntu1.1)
|
|
| mantic |
Released
(3.0.8-1ubuntu2)
|
|
| trusty |
Released
(1.0.1f-1ubuntu2.27+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(3.0.9)
|
|
| xenial |
Released
(1.0.2g-1ubuntu4.20+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95 |
||
|
openssl1.0 Launchpad, Ubuntu, Debian |
bionic |
Released
(1.0.2n-1ubuntu5.12)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |