CVE-2023-0465
Published: 28 March 2023
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Notes
| Author | Note |
|---|---|
| ccdm94 | This CVE was omitted from the changelog of the updates listed below for packages openssl and openssl1.0. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
edk2 Launchpad, Ubuntu, Debian |
lunar |
Needs triage
|
| trusty |
Ignored
(end of standard support)
|
|
| xenial |
Needs triage
|
|
| bionic |
Needs triage
|
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| upstream |
Needs triage
|
|
|
nodejs Launchpad, Ubuntu, Debian |
focal |
Not vulnerable
(uses system openssl)
|
| kinetic |
Not vulnerable
(uses system openssl)
|
|
| lunar |
Not vulnerable
(uses system openssl)
|
|
| trusty |
Not vulnerable
(uses system openssl)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
| bionic |
Needs triage
|
|
| jammy |
Needed
|
|
|
openssl Launchpad, Ubuntu, Debian |
focal |
Released
(1.1.1f-1ubuntu2.18)
|
| lunar |
Released
(3.0.8-1ubuntu1.1)
|
|
| upstream |
Needs triage
|
|
| bionic |
Released
(1.1.1-1ubuntu2.1~18.04.22)
|
|
| jammy |
Released
(3.0.2-0ubuntu1.9)
|
|
| kinetic |
Released
(3.0.5-2ubuntu2.2)
|
|
| trusty |
Released
(1.0.1f-1ubuntu2.27+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| xenial |
Released
(1.0.2g-1ubuntu4.20+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0) upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95 (OpenSSL_1_1_1-stable) |
||
|
openssl1.0 Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| bionic |
Released
(1.0.2n-1ubuntu5.12)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |