CVE-2023-0286: High-Severity Vulnerability in OpenSSL
The OpenSSL Project on Tuesday announced the availability of OpenSSL 3.0, 1.1.1, and 1.0.2, which patches a high-severity vulnerability that could allow an attacker to read memory contents or launch denial-of-service attacks.
The flaw, tracked as CVE-2023-0286, has been described as a type confusion in X.509 GeneralName.
“There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING,” the OpenSSL Project said in an advisory.
“When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service.”
The CVE-2023-0286 flaw, reported by David Benjamin (Google), affects OpenSSL versions 3.0, 1.1.1, and 1.0.2.
OpenSSL users have also been informed about CVE-2022-4304, CVE-2022-4203, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401, six moderate-severity vulnerabilities that can be exploited for denial-of-service (DoS) attacks, and possibly for the disclosure of private memory contents, such as private keys. These issues have been fixed with the release of versions 3.0.8, 1.0.2zg, and 1.1.1t.