Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2023-0466

Published: 28 March 2023

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Notes

AuthorNote
mdeslaur
The upstream fix for this is only a documentation change

Priority

Negligible

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

jammy Needs triage

kinetic Ignored
(end of life, was needs-triage)
lunar Needs triage

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Needs triage

nodejs
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Not vulnerable
(uses system openssl)
jammy Needed

kinetic Not vulnerable
(uses system openssl)
lunar Not vulnerable
(uses system openssl)
trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Needs triage

openssl
Launchpad, Ubuntu, Debian
lunar
Released (3.0.8-1ubuntu1.1)
upstream Needs triage

bionic
Released (1.1.1-1ubuntu2.1~18.04.22)
focal
Released (1.1.1f-1ubuntu2.18)
jammy
Released (3.0.2-0ubuntu1.9)
kinetic
Released (3.0.5-2ubuntu2.2)
trusty
Released (1.0.1f-1ubuntu2.27+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (1.0.2g-1ubuntu4.20+esm7)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
Patches:
upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0)
upstream: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable)
openssl1.0
Launchpad, Ubuntu, Debian
focal Does not exist

jammy Does not exist

kinetic Does not exist

lunar Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

bionic
Released (1.0.2n-1ubuntu5.12)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N