Headline
RHSA-2023:2523: Red Hat Security Advisory: openssl security and bug fix update
An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-3358: A flaw was found in OpenSSL, where it incorrectly handles legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialization functions). Instead of using the custom cipher directly, it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However, it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used this way, the OpenSSL encryption/decryption initialization function will match the NULL cipher as equivalent and fetch this from the available providers. This is successful if the default provider has been loaded (or if a third-party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-09
Updated:
2023-05-09
RHSA-2023:2523 - Security Advisory
- Overview
- Updated Packages
Synopsis
Low: openssl security and bug fix update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openssl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2060044 - PSK ciphersuites at SECLEVEL=3
- BZ - 2083879 - -Wimplicit-function-declaration when compiling FIPS_mode() function with clang
- BZ - 2094956 - Overriding default property query settings doesn’t work for some operations (FIPS mode)
- BZ - 2128412 - stunnel consumes high amount of memory when pestered with TCP connections without a TLS handshake
- BZ - 2129063 - Rebase to the latest openssl 3.0.x series
- BZ - 2133809 - OPENSSL_strcasecmp versioning
- BZ - 2134740 - CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption
- BZ - 2136250 - HMAC generation should reject key lengths < 112 bits or provide an indicator in FIPS mode
- BZ - 2137557 - In FIPS mode, openssl should set a minimum length for passwords in PBKDF2
- BZ - 2141597 - FIPS self-test data for RSA-CRT contains incorrect parameters
- BZ - 2141695 - In FIPS mode, openssl should reject KDF input and output key lengths < 112 bits or provide an indicator
- BZ - 2141748 - In FIPS mode, openssl should reject SHA-224, SHA-384, SHA-512-224, and SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after 2023-05-16
- BZ - 2142087 - In FIPS mode, openssl should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
- BZ - 2142121 - In FIPS mode, openssl should reject SHAKE as digest for RSA-OAEP or provide an indicator
- BZ - 2142131 - In FIPS mode, openssl should reject RSA signatures with X9.31 padding, or provide an indicator
- BZ - 2142517 - OpenSSL PKCS#11 provider compatibility
- BZ - 2144561 - In FIPS mode, openssl should reject RSA keys < 2048 bits when using EVP_PKEY_decapsulate, or provide an indicator
- BZ - 2157965 - OpenSSL FIPS checksum code needs update
- BZ - 2168224 - OpenSSL - Significant performance drop for getrandom system call when FIPS is enabled (compared to RHEL 8)
References
- https://access.redhat.com/security/updates/classification/#low
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
openssl-3.0.7-6.el9_2.src.rpm
SHA-256: e2ecceb1d045843222970e41cd735bd16b0351cb89e8c84f3a2ef34d984aa7f3
x86_64
openssl-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 7e87edd8b79ef5b96bbb223bceed4521718b4ea8d1f6415daf38df103c072f09
openssl-debuginfo-3.0.7-6.el9_2.i686.rpm
SHA-256: 60d580df85ce68285352cdd8dda8a5404800cd1bf58c3c7876da8505b4183c1b
openssl-debuginfo-3.0.7-6.el9_2.i686.rpm
SHA-256: 60d580df85ce68285352cdd8dda8a5404800cd1bf58c3c7876da8505b4183c1b
openssl-debuginfo-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 701fe23480be0b1fd7c223ec28a81a09fc0572e0b0bd92c5cdff2c0ed17e69f8
openssl-debuginfo-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 701fe23480be0b1fd7c223ec28a81a09fc0572e0b0bd92c5cdff2c0ed17e69f8
openssl-debugsource-3.0.7-6.el9_2.i686.rpm
SHA-256: 83cfb2c910b38a9e530efaff4c6a3a1a3faafaf921868f1e3bea0e1a4c1513f7
openssl-debugsource-3.0.7-6.el9_2.i686.rpm
SHA-256: 83cfb2c910b38a9e530efaff4c6a3a1a3faafaf921868f1e3bea0e1a4c1513f7
openssl-debugsource-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 535704bf304b6d09eb567022f33b86829479b40ea22279b40d04be2ed7e975c0
openssl-debugsource-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 535704bf304b6d09eb567022f33b86829479b40ea22279b40d04be2ed7e975c0
openssl-devel-3.0.7-6.el9_2.i686.rpm
SHA-256: 91bde61775dd8e1c6c5c5fe118259024b73ee4ea16b8e384fa417bd19b34d930
openssl-devel-3.0.7-6.el9_2.x86_64.rpm
SHA-256: cc00694c420b1455540b2b246801f806c309de02569de2e307248fb2e6273079
openssl-libs-3.0.7-6.el9_2.i686.rpm
SHA-256: 807c0512b0376ed8577cad0b18fa5f547447398c5bacabab8397ed0407a1b120
openssl-libs-3.0.7-6.el9_2.x86_64.rpm
SHA-256: 307a13237001d7935cb310cdb71d0b466d975fdc383a4cacfba723c5102869ee
openssl-libs-debuginfo-3.0.7-6.el9_2.i686.rpm
SHA-256: 5dc46c06b276c0cbbf8ef206b78fa44a7a28b3e2c747d5794efa6011e3162b35
openssl-libs-debuginfo-3.0.7-6.el9_2.i686.rpm
SHA-256: 5dc46c06b276c0cbbf8ef206b78fa44a7a28b3e2c747d5794efa6011e3162b35
openssl-libs-debuginfo-3.0.7-6.el9_2.x86_64.rpm
SHA-256: b425cfbafcdbf37dc63a2f49115a0dcdfdaa3834b1a53cb958907f76955ec925
openssl-libs-debuginfo-3.0.7-6.el9_2.x86_64.rpm
SHA-256: b425cfbafcdbf37dc63a2f49115a0dcdfdaa3834b1a53cb958907f76955ec925
openssl-perl-3.0.7-6.el9_2.x86_64.rpm
SHA-256: ec0a4674035e03014fa02d69d0243cc8a3d46974f19ee16409ed17c86a9f9b5b
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
openssl-3.0.7-6.el9_2.src.rpm
SHA-256: e2ecceb1d045843222970e41cd735bd16b0351cb89e8c84f3a2ef34d984aa7f3
s390x
openssl-3.0.7-6.el9_2.s390x.rpm
SHA-256: a4836468c5065bbad89bfe6689e06f6e9e808b0325ff1bec704b773cf1be6be4
openssl-debuginfo-3.0.7-6.el9_2.s390x.rpm
SHA-256: 41adeb9934299d871ce9597d7d219150d2ed8fe6c23fab6c5af79d37b29cf66d
openssl-debuginfo-3.0.7-6.el9_2.s390x.rpm
SHA-256: 41adeb9934299d871ce9597d7d219150d2ed8fe6c23fab6c5af79d37b29cf66d
openssl-debugsource-3.0.7-6.el9_2.s390x.rpm
SHA-256: cde28b57e36ad20f14a7777f082089cff059ef8611edd09dc00029f6ae7aa929
openssl-debugsource-3.0.7-6.el9_2.s390x.rpm
SHA-256: cde28b57e36ad20f14a7777f082089cff059ef8611edd09dc00029f6ae7aa929
openssl-devel-3.0.7-6.el9_2.s390x.rpm
SHA-256: e3e74fa2cb96908658c6b5a52f92901c4b8a3a22dbd3c450bb3a0edf31085199
openssl-libs-3.0.7-6.el9_2.s390x.rpm
SHA-256: cf4c7da0d0c21e3061cb7e59171a2483f0017e01b54becdc2ab9e7c703cece38
openssl-libs-debuginfo-3.0.7-6.el9_2.s390x.rpm
SHA-256: a89730184dba726f6303c22a777a7e1113704e5930dc7f249a61fc4a36a7b0ad
openssl-libs-debuginfo-3.0.7-6.el9_2.s390x.rpm
SHA-256: a89730184dba726f6303c22a777a7e1113704e5930dc7f249a61fc4a36a7b0ad
openssl-perl-3.0.7-6.el9_2.s390x.rpm
SHA-256: f3409ebb9a5c55b0b885262014a6479692992182e8826c3c1e95d193d31918c8
Red Hat Enterprise Linux for Power, little endian 9
SRPM
openssl-3.0.7-6.el9_2.src.rpm
SHA-256: e2ecceb1d045843222970e41cd735bd16b0351cb89e8c84f3a2ef34d984aa7f3
ppc64le
openssl-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: cfb66d60b56fb23760719aeb28139ac4f33d5cafbe08151c32c2f31dae3b2cb8
openssl-debuginfo-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 93a7d8f6b231ecf4412ff2c1d251a8a4f36170258cea7c178f11c9c17ed4681d
openssl-debuginfo-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 93a7d8f6b231ecf4412ff2c1d251a8a4f36170258cea7c178f11c9c17ed4681d
openssl-debugsource-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 8fb6e53d52aeb47edbdeafe647bf122109abe89b0b8099948bbe07c34ff2f0ec
openssl-debugsource-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 8fb6e53d52aeb47edbdeafe647bf122109abe89b0b8099948bbe07c34ff2f0ec
openssl-devel-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: bfbcf8268f93fad649c309f9e6900f363c0aef786d6c1badf9038b62d779d1a8
openssl-libs-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 4aaa2c57797f5337915c67ac0fac887a6231cff96c53417e9dd2346c18b8d82a
openssl-libs-debuginfo-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 6aadb8aeef4b6f2fb8211373ea0063c4f8cc64a56e1159ca91784d77dfd4415d
openssl-libs-debuginfo-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: 6aadb8aeef4b6f2fb8211373ea0063c4f8cc64a56e1159ca91784d77dfd4415d
openssl-perl-3.0.7-6.el9_2.ppc64le.rpm
SHA-256: b3203ea37a693ab2064b5c6a86c9e57ad4cb586a327b2f3ac706e67e5f556652
Red Hat Enterprise Linux for ARM 64 9
SRPM
openssl-3.0.7-6.el9_2.src.rpm
SHA-256: e2ecceb1d045843222970e41cd735bd16b0351cb89e8c84f3a2ef34d984aa7f3
aarch64
openssl-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 023da582245ccb93c1eb3f0d78d81430bcca037ec200c3c8d9ef05d1e8277591
openssl-debuginfo-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 3c331bdbb8b86dd8b6a4634a35f76c68665c2751c5066706a6b5b3dfe5f7a1dd
openssl-debuginfo-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 3c331bdbb8b86dd8b6a4634a35f76c68665c2751c5066706a6b5b3dfe5f7a1dd
openssl-debugsource-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 74a39c066c521370c56d1ffcc520d5089ec879687740039e9ddcead6259975c6
openssl-debugsource-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 74a39c066c521370c56d1ffcc520d5089ec879687740039e9ddcead6259975c6
openssl-devel-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 84782e90890ac81888aefef3df8096e5937bdbeaa3e1b5c170a3a83196b59bf6
openssl-libs-3.0.7-6.el9_2.aarch64.rpm
SHA-256: b166673a6c0f259c034d177442d72318d46accf60136ec668e16e4e38b61a731
openssl-libs-debuginfo-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 2378c8fe5e05adb717cafb4e78a95133449504c7583a9bfc0321273cb2597b4c
openssl-libs-debuginfo-3.0.7-6.el9_2.aarch64.rpm
SHA-256: 2378c8fe5e05adb717cafb4e78a95133449504c7583a9bfc0321273cb2597b4c
openssl-perl-3.0.7-6.el9_2.aarch64.rpm
SHA-256: ac231a01a7917358c3411e6599075af7f0d5e50514fe0e89a96f24f96d6aee11
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202402-8 - Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in denial of service. Versions greater than or equal to 3.0.10 are affected.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decrypti...
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decrypti...