{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-0464", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "state": "PUBLISHED", "assignerShortName": "openssl", "dateReserved": "2023-01-24T13:50:25.835Z", "datePublished": "2023-03-22T16:36:47.383Z", "dateUpdated": "2025-02-13T16:38:59.562Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenSSL", "vendor": "OpenSSL", "versions": [{"lessThan": "3.1.1", "status": "affected", "version": "3.1.0", "versionType": "semver"}, {"lessThan": "3.0.9", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "1.1.1u", "status": "affected", "version": "1.1.1", "versionType": "custom"}, {"lessThan": "1.0.2zh", "status": "affected", "version": "1.0.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "David Benjamin (Google)"}, {"lang": "en", "type": "remediation developer", "user": "00000000-0000-4000-9000-000000000000", "value": "Dr Paul Dale"}], "datePublic": "2023-03-21T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A security vulnerability has been identified in all supported versions<br><br>of OpenSSL related to the verification of X.509 certificate chains<br>that include policy constraints. Attackers may be able to exploit this<br>vulnerability by creating a malicious certificate chain that triggers<br>exponential use of computational resources, leading to a denial-of-service<br>(DoS) attack on affected systems.<br><br>Policy processing is disabled by default but can be enabled by passing<br>the `-policy' argument to the command line utilities or by calling the<br>`X509_VERIFY_PARAM_set1_policies()' function."}], "value": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function."}], "metrics": [{"format": "other", "other": {"content": {"text": "Low"}, "type": "https://www.openssl.org/policies/secpolicy.html"}}], "problemTypes": [{"descriptions": [{"description": "inefficient algorithmic complexity", "lang": "en"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2024-06-21T19:07:07.428Z"}, "references": [{"name": "OpenSSL Advisory", "tags": ["vendor-advisory"], "url": "https://www.openssl.org/news/secadv/20230322.txt"}, {"name": "3.1.1 git commit", "tags": ["patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"}, {"name": "3.0.9 git commit", "tags": ["patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"}, {"name": "1.1.1u git commit", "tags": ["patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"}, {"name": "1.0.2zh patch (premium)", "tags": ["patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"}, {"url": "https://www.couchbase.com/alerts/"}, {"url": "https://www.debian.org/security/2023/dsa-5417"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"}, {"url": "https://security.gentoo.org/glsa/202402-08"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "source": {"discovery": "UNKNOWN"}, "title": "Excessive Resource Usage Verifying X.509 Policy Constraints", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230406-0006/"}, {"name": "OpenSSL Advisory", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.openssl.org/news/secadv/20230322.txt"}, {"name": "3.1.1 git commit", "tags": ["patch", "x_transferred"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"}, {"name": "3.0.9 git commit", "tags": ["patch", "x_transferred"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"}, {"name": "1.1.1u git commit", "tags": ["patch", "x_transferred"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"}, {"name": "1.0.2zh patch (premium)", "tags": ["patch", "x_transferred"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"}, {"url": "https://www.couchbase.com/alerts/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5417", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202402-08", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.350Z"}}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "23F912E9-9126-4D16-8F77-BD41CED6774D", "versionEndExcluding": "1.0.2zh", "versionStartIncluding": "1.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D99C2F8-BE74-4912-8653-A2AEE387AAF9", "versionEndExcluding": "1.1.1u", "versionStartIncluding": "1.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C637E94-F5EC-4D4B-836F-8C8219F1ECEC", "versionEndExcluding": "3.0.9", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "68821BE0-7889-48B0-888D-CEC8BB9BDEA9", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function."}], "id": "CVE-2023-0464", "lastModified": "2024-11-21T07:37:13.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-22T17:15:13.130", "references": [{"source": "openssl-security@openssl.org", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"}, {"source": "openssl-security@openssl.org", "tags": ["Broken Link"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"}, {"source": "openssl-security@openssl.org", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"}, {"source": "openssl-security@openssl.org", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"}, {"source": "openssl-security@openssl.org", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"}, {"source": "openssl-security@openssl.org", "url": "https://security.gentoo.org/glsa/202402-08"}, {"source": "openssl-security@openssl.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "openssl-security@openssl.org", "url": "https://www.couchbase.com/alerts/"}, {"source": "openssl-security@openssl.org", "url": "https://www.debian.org/security/2023/dsa-5417"}, {"source": "openssl-security@openssl.org", "tags": ["Vendor Advisory"], "url": "https://www.openssl.org/news/secadv/20230322.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch"], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202402-08"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230406-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.couchbase.com/alerts/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2023/dsa-5417"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.openssl.org/news/secadv/20230322.txt"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-1:1.1.1k-16.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.1.1k-16.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:3722", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "openssl-1:3.0.7-16.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-06-21T00:00:00Z"}, {"advisory": "RHSA-2023:3722", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "openssl-1:3.0.7-16.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-06-21T00:00:00Z"}, {"advisory": "RHSA-2023:7623", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package": "openssl", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7622", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package": "jws5-tomcat-native-0:1.2.31-16.redhat_16.el7jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7622", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package": "jws5-tomcat-native-0:1.2.31-16.redhat_16.el8jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7622", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package": "jws5-tomcat-native-0:1.2.31-16.redhat_16.el9jws", "product_name": "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7626", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "openssl", "product_name": "Text-Only JBCS", "release_date": "2023-12-07T00:00:00Z"}], "bugzilla": {"description": "openssl: Denial of service by excessive resource usage in verifying X509 policy constraints", "id": "2181082", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181082"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A security vulnerability has been identified in all supported versions\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", "A security vulnerability has been identified in all supported OpenSSL versions related to verifying X.509 certificate chains that include policy constraints. This flaw allows attackers to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial of service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or calling the X509_VERIFY_PARAM_set1_policies()' function."], "name": "CVE-2023-0464", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "compat-openssl11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "shim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Web Server 3"}], "public_date": "2023-03-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0464\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0464\nhttps://www.openssl.org/news/secadv/20230322.txt"], "statement": "This vulnerability is classified as low severity because policy processing in OpenSSL is disabled by default, meaning that most deployments are unaffected unless explicitly configured to enable policy checks. Additionally, while the flaw can cause exponential computational resource consumption, it does not allow for remote code execution, memory corruption, or data exfiltration\u2014limiting its impact to a denial-of-service (DoS) condition. Exploiting this issue also requires an attacker to supply a specifically crafted X.509 certificate chain, which is only feasible in scenarios where certificate validation of untrusted chains is performed, further reducing the practical risk.", "threat_severity": "Low", "upstream_fix": "openssl 3.1.1, openssl 3.0.9, openssl 1.1.1u"}