OpenSSL Security Advisory CVE-2023-0286

jwh2 · March 8, 2023, 3:11pm

Regarding the latest OpenSSL vulnerability (CVE-2023-0286), I don’t see that RHEL, AlmaLinux, Oracle, or any of the other EL8 or EL9 clones offer any packages to resolve this vulnerability. How are corporate or gov’t organizations able to respond to this vulnerability through standard package management (i.e., dnf or yum)? The vulnerability is still listed as “high”. Is a package update in the works? Thanks for any insight.

joebeasley · March 8, 2023, 4:04pm

Marked as moderate by Redhat.

Statement

To trigger the vulnerability, the software should use 3rd-party provided CRLs and certificates, download them in real-time (implementing the corresponding callback which is also hardly possible because it implies a separate HTTP request during the TLS connection establishing) and verify. We are not aware of any such software in our distributions. Hence we marked this security flaw as Moderate.

jwh2 · March 8, 2023, 4:20pm

Yep, saw that. Thanks.

jlehtone · March 8, 2023, 4:21pm

That Red Hat page also lists:

RHEL 9	openssl	Fixed	RHSA-2023:0946	Feb 28, 2023

AlmaLinux 9 has the openssl package with fix for 2023-0286 built already on that date:

$ rpm -q --changelog openssl | head -18
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-47
- Fixed X.509 Name Constraints Read Buffer Overflow
  Resolves: CVE-2022-4203
- Fixed Timing Oracle in RSA Decryption
  Resolves: CVE-2022-4304
- Fixed Double free after calling PEM_read_bio_ex
  Resolves: CVE-2022-4450
- Fixed Use-after-free following BIO_new_NDEF
  Resolves: CVE-2023-0215
- Fixed Invalid pointer dereference in d2i_PKCS7 functions
  Resolves: CVE-2023-0216
- Fixed NULL dereference validating DSA public key
  Resolves: CVE-2023-0217
- Fixed X.400 address type confusion in X.509 GeneralName
  Resolves: CVE-2023-0286
- Fixed NULL dereference during PKCS7 data verification
  Resolves: CVE-2023-0401

$ rpm -qi openssl | grep "Build Date"
Build Date  : Tue 28 Feb 2023 10:40:26 AM EET

Therefore,

where did you look from?

jwh2 · March 8, 2023, 4:27pm

Thanks, I stand corrected. I did finally see that they have a fix for EL9, but not 8, which is what we are using.

jlehtone · March 8, 2023, 4:36pm

A significant point is that in el8 the openssl is 1.1.1 while el9 has openssl 3.

That might explain why el9 got a fix, but el8 did not.

jwh2 · March 8, 2023, 7:56pm

Thanks all. It seems RedHat doesn’t believe it’s critical enough to fix, at least for anything below RHEL9. My rationale will be, if there is no patch provided by RedHat/Alma then I’m not going to brute-force it. Especially not going to risk it when were talking about openssl.