===================================================================                               CERT-Renater

                    Note d'Information No. 2023/VULN112

_____________________________________________________________________

DATE                : 23/03/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running OpenSSL versions prior to
                        3.1.1, 3.0.9, 1.1.1u, 1.1.1u.

====================================================================https://www.openssl.org/news/secadv/20230322.txt
_____________________________________________________________________



Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
===========================================================================

Severity: Low

A security vulnerability has been identified in all supported
versions of OpenSSL related to the verification of X.509 certificate
chains that include policy constraints.  Attackers may be able to
exploit this vulnerability by creating a malicious certificate chain
that triggers exponential use of computational resources, leading
to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases
of OpenSSL at this time. The fix will be included in the next releases
when they become available. The fix is also available in commit 2017771e
(for 3.1), commit 959c59c7 (for 3.0), commit 879f7080 (for 1.1.1) in
the OpenSSL git repository, and commit 2dcd4f1e (for 1.0.2) in the
OpenSSL git repository for premium customers.

Once they are released:

OpenSSL 3.1 users should upgrade to 3.1.1.
OpenSSL 3.0 users should upgrade to 3.0.9.
OpenSSL 1.1.1 users should upgrade to 1.1.1u.
OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support customers
only).

This issue was reported on 12th January 2023 by David Benjamin (Google).
The fix was developed by Dr Paul Dale.

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date
security fixes for 1.1.1 will only be available to premium support
customers.


References
========URL for this Security Advisory:
https://www.openssl.org/news/secadv/20230322.txt

Note: the online version of the advisory may be updated with
additional details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================