Headline
RHSA-2023:1335: Red Hat Security Advisory: openssl security update
An update for openssl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely only to affect applications that have implemented their own functionality for retrieving CRLs over a network.
Synopsis
Important: openssl security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for openssl is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
Affected Products
- Red Hat Enterprise Linux Server 7 x86_64
- Red Hat Enterprise Linux Workstation 7 x86_64
- Red Hat Enterprise Linux Desktop 7 x86_64
- Red Hat Enterprise Linux for IBM z Systems 7 s390x
- Red Hat Enterprise Linux for Power, big endian 7 ppc64
- Red Hat Enterprise Linux for Scientific Computing 7 x86_64
- Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Fixes
- BZ - 2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName
Red Hat Enterprise Linux Server 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
x86_64
openssl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: f38bfd84ecaab2fe1261f3a424e7bc5a80f3c50f686b5242113ab466b5158c9e
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-devel-1.0.2k-26.el7_9.i686.rpm
SHA-256: 3f6d88512b93ac03f65073b03ae943a5d7efaa0f636fbdc9893eae5b22e225c3
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 3571ddfd9d9f06df283a5752b558ab7fe1598a63a436c80439b4fdf3ee140762
openssl-libs-1.0.2k-26.el7_9.i686.rpm
SHA-256: 0dbef73cbcf749387ed29fa0fac2ef37be78cc14344b63e332d633691dc625c1
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 0f9762c6b6b9922cea2e3e0cf4753f1a7e2dd1e826d64d9320e94b28efc55fe8
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: b6c16483f0549f986585369e6ac0dc2d7ffb7d2967f52db0df9bcdfa1b538059
openssl-static-1.0.2k-26.el7_9.i686.rpm
SHA-256: fba1e7f4fe2400806f18f308a25517a9d839ec8b989f7c932f4b55ddf5e3049b
openssl-static-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 1b03f99d542a87ba8d453438bf547008b3db77314c7ed4134578a1b64cf481ef
Red Hat Enterprise Linux Workstation 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
x86_64
openssl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: f38bfd84ecaab2fe1261f3a424e7bc5a80f3c50f686b5242113ab466b5158c9e
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-devel-1.0.2k-26.el7_9.i686.rpm
SHA-256: 3f6d88512b93ac03f65073b03ae943a5d7efaa0f636fbdc9893eae5b22e225c3
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 3571ddfd9d9f06df283a5752b558ab7fe1598a63a436c80439b4fdf3ee140762
openssl-libs-1.0.2k-26.el7_9.i686.rpm
SHA-256: 0dbef73cbcf749387ed29fa0fac2ef37be78cc14344b63e332d633691dc625c1
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 0f9762c6b6b9922cea2e3e0cf4753f1a7e2dd1e826d64d9320e94b28efc55fe8
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: b6c16483f0549f986585369e6ac0dc2d7ffb7d2967f52db0df9bcdfa1b538059
openssl-static-1.0.2k-26.el7_9.i686.rpm
SHA-256: fba1e7f4fe2400806f18f308a25517a9d839ec8b989f7c932f4b55ddf5e3049b
openssl-static-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 1b03f99d542a87ba8d453438bf547008b3db77314c7ed4134578a1b64cf481ef
Red Hat Enterprise Linux Desktop 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
x86_64
openssl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: f38bfd84ecaab2fe1261f3a424e7bc5a80f3c50f686b5242113ab466b5158c9e
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-devel-1.0.2k-26.el7_9.i686.rpm
SHA-256: 3f6d88512b93ac03f65073b03ae943a5d7efaa0f636fbdc9893eae5b22e225c3
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 3571ddfd9d9f06df283a5752b558ab7fe1598a63a436c80439b4fdf3ee140762
openssl-libs-1.0.2k-26.el7_9.i686.rpm
SHA-256: 0dbef73cbcf749387ed29fa0fac2ef37be78cc14344b63e332d633691dc625c1
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 0f9762c6b6b9922cea2e3e0cf4753f1a7e2dd1e826d64d9320e94b28efc55fe8
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: b6c16483f0549f986585369e6ac0dc2d7ffb7d2967f52db0df9bcdfa1b538059
openssl-static-1.0.2k-26.el7_9.i686.rpm
SHA-256: fba1e7f4fe2400806f18f308a25517a9d839ec8b989f7c932f4b55ddf5e3049b
openssl-static-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 1b03f99d542a87ba8d453438bf547008b3db77314c7ed4134578a1b64cf481ef
Red Hat Enterprise Linux for IBM z Systems 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
s390x
openssl-1.0.2k-26.el7_9.s390x.rpm
SHA-256: 2edd6d669819bac90e61244b5ab90aefe234433b6e320b7dde9924715e175611
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm
SHA-256: c85c156cc08c17d93d1b15c48949ae6f66ae3e7d189c905f5a9d6666c289d9df
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm
SHA-256: c85c156cc08c17d93d1b15c48949ae6f66ae3e7d189c905f5a9d6666c289d9df
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm
SHA-256: 211b4c27c98b0744f8cbbdfd2c10af3f6c805e6eafcd5c3515f769993fd8f842
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm
SHA-256: 211b4c27c98b0744f8cbbdfd2c10af3f6c805e6eafcd5c3515f769993fd8f842
openssl-devel-1.0.2k-26.el7_9.s390.rpm
SHA-256: 9eebf18f25083d58fca398ba12e40cd900004078d8280c6e13e8bab0c188c812
openssl-devel-1.0.2k-26.el7_9.s390x.rpm
SHA-256: ffdaec8668da0b1acd42a4cf7b772f567535defcd0332d8070dbb6016edd5fab
openssl-libs-1.0.2k-26.el7_9.s390.rpm
SHA-256: 2947e891f16c88fb27a065e0ccf7ba57ed0fc14e365bb6e1627602700d2e7f63
openssl-libs-1.0.2k-26.el7_9.s390x.rpm
SHA-256: 0329d32a46bcdca8615c9f4b8eaa3461ced5b32487ab55748cab25966eb40eb5
openssl-perl-1.0.2k-26.el7_9.s390x.rpm
SHA-256: 025232369af0b41dd8eecfa9479ead5f8f481ea5b13965acf037add0a77e61c8
openssl-static-1.0.2k-26.el7_9.s390.rpm
SHA-256: 5fd52e3205baec50051795945661ee0bed4e45dd563e5807acd1f320b7687524
openssl-static-1.0.2k-26.el7_9.s390x.rpm
SHA-256: b2b68a123e2e3dcfcdaaa3980b81751fbd795009aa997f403762fd0bbfc5a565
Red Hat Enterprise Linux for Power, big endian 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
ppc64
openssl-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: 8c98d51b92a6754ae9913dc11d8ba7b21a5e4df8657a312a89d05c891404bd00
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm
SHA-256: c62a1bde979251aabbad3b6a1d0ee0ca4ad30cb336a39304a02b7ac8884f5585
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm
SHA-256: c62a1bde979251aabbad3b6a1d0ee0ca4ad30cb336a39304a02b7ac8884f5585
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: c1646214ecf00e7ead03cfb44409d72b4b691a679e7afc6f7c514241264e7277
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: c1646214ecf00e7ead03cfb44409d72b4b691a679e7afc6f7c514241264e7277
openssl-devel-1.0.2k-26.el7_9.ppc.rpm
SHA-256: 28d57bcb2142ba42e264cbd5ffd4b3f18719deb95dd898e86518e6fe2d60c4da
openssl-devel-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: abb7ab09114eb35a7eed588825b55105617f6cba0b52560d8b44fa04fc63d0f9
openssl-libs-1.0.2k-26.el7_9.ppc.rpm
SHA-256: 0cc8b8462cff9e3dfda64bc61741a033a3f8c4fc7a877fc2b2d9c8e47ac4e384
openssl-libs-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: 73aae8d18b36fd28cb2c50a54b1f3a5c5a96cd65431ef10084c89de7a2225986
openssl-perl-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: 08c94fb4f0e1cc0c0b46501b427c871be1477fb258ed9d25324de9a14bc10e7d
openssl-static-1.0.2k-26.el7_9.ppc.rpm
SHA-256: 6937a6e742fb53078e89c233b9df6333161afc176524032476fe312cc1dc3e38
openssl-static-1.0.2k-26.el7_9.ppc64.rpm
SHA-256: f23ec613177fbb92a4a91b99c6a603b602f8e1c72d857101da217ed4d873e85c
Red Hat Enterprise Linux for Scientific Computing 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
x86_64
openssl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: f38bfd84ecaab2fe1261f3a424e7bc5a80f3c50f686b5242113ab466b5158c9e
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm
SHA-256: e9491992f6f77eb72e057f628c6a9c8b00110f1d618c9174f3323c4aeef2dc6a
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 96b1fa676c4e168789ade86bbe5710e4997067b3ee9cd6b090ebb8bcc32bb4e5
openssl-devel-1.0.2k-26.el7_9.i686.rpm
SHA-256: 3f6d88512b93ac03f65073b03ae943a5d7efaa0f636fbdc9893eae5b22e225c3
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 3571ddfd9d9f06df283a5752b558ab7fe1598a63a436c80439b4fdf3ee140762
openssl-libs-1.0.2k-26.el7_9.i686.rpm
SHA-256: 0dbef73cbcf749387ed29fa0fac2ef37be78cc14344b63e332d633691dc625c1
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 0f9762c6b6b9922cea2e3e0cf4753f1a7e2dd1e826d64d9320e94b28efc55fe8
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: b6c16483f0549f986585369e6ac0dc2d7ffb7d2967f52db0df9bcdfa1b538059
openssl-static-1.0.2k-26.el7_9.i686.rpm
SHA-256: fba1e7f4fe2400806f18f308a25517a9d839ec8b989f7c932f4b55ddf5e3049b
openssl-static-1.0.2k-26.el7_9.x86_64.rpm
SHA-256: 1b03f99d542a87ba8d453438bf547008b3db77314c7ed4134578a1b64cf481ef
Red Hat Enterprise Linux for Power, little endian 7
SRPM
openssl-1.0.2k-26.el7_9.src.rpm
SHA-256: 072db380c0ff92ea15f93816bfaa8dc338ad18f821dd04ac86ba903bfece0d67
ppc64le
openssl-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: 169c7958cc43f37d764dd99d711663f5a6a2ffe306a2fdececca3d8b8254de60
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: 390792dc29e4531ad5788995f7132a694627406c32fbe114e1deafb4630abea0
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: 390792dc29e4531ad5788995f7132a694627406c32fbe114e1deafb4630abea0
openssl-devel-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: 8496895dcef9c620f1a62fda988c5fe3356369bc44943e82c6189d3e51690b95
openssl-libs-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: a6a3a01daba38121958173858afefb22ad477e1b19b41f2d82373d329ba8a5e3
openssl-perl-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: ff46152374c7c4b2de2b85bf5c1cea19f565f2c2b4320635c22515094cb34a39
openssl-static-1.0.2k-26.el7_9.ppc64le.rpm
SHA-256: e463a3b2a23111e4acb1df8f999ecd8d2368fc7d9adfe7db3bb41cfb7aa224f3
Related news
Ubuntu Security Notice 6564-1 - Hubert Kario discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. CarpetFuzz, Dawei Wang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2023-5103-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.6 images.
Red Hat Security Advisory 2023-4421-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.12.5 images.
IBM Security Guardium 11.3 could allow an authenticated user to cause a denial of service due to improper input validation. IBM X-Force ID: 240903.
IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.
Red Hat Security Advisory 2023-3645-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.10 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24534: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service. * CVE-2023-24536: A flaw was found in Golang Go, where it is vulnerable to a denial of service cause...
An update is now available for Red Hat JBoss Web Server 5.7.3 on Red Hat Enterprise Linux versions 7, 8, and 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages for decry...
Red Hat JBoss Web Server 5.7.3 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be abl...
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
Red Hat Security Advisory 2023-2110-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.16. Issues addressed include a bypass vulnerability.
An update for edk2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38578: A flaw was found in edk2. A integer underflow in the SmmEntryPoint function leads to a write into the SMM region allowing a local attacker with administration privileges on the system to execute code within the SMM privileged context. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability....
Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-2041-01 - Migration Toolkit for Applications 6.1.0 Images. Issues addressed include denial of service, privilege escalation, server-side request forgery, and traversal vulnerabilities.
Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.
Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Multicluster Engine Hotfix Security Update for Console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, al...
Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...
Red Hat Security Advisory 2023-1656-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.56.
Red Hat Security Advisory 2023-1504-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.34.
Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1440-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.
Red Hat Security Advisory 2023-1441-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.
An update for openssl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to r...
An update for openssl is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to r...
An update for openssl is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to r...
An update for openssl is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to ...
An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages for decryption. This issue affects all RSA padding...
Red Hat Security Advisory 2023-1335-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.
Red Hat Security Advisory 2023-1199-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include buffer overflow, double free, and use-after-free vulnerabilities.
An update for openssl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4203: A flaw was found in Open SSL. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification, and requires either a CA to have signed the malicious certificate or for the application to continue certif...
The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.
An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4203: A flaw was found in Open SSL. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification, and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite...
Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news
The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. Tracked as CVE-2023-0286, the issue relates to a case of type confusion that may permit an adversary to "read memory contents or enact a denial-of-service," the maintainers said in an advisory. The
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and https://www.openssl.org/news/secadv/20230207.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
Ubuntu Security Notice 5845-2 - USN-5845-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. David Benjamin discovered that OpenSSL incorrectly handled X.400 address processing. A remote attacker could possibly use this issue to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service.