Support Content Notification - Support Portal

USN-6663-1: OpenSSL update

Product/Component

VMware Tanzu Application Service

1 more products

Notification Id

24683

Last Updated

07 August 2024

Initial Publication Date

16 July 2024

Status

CLOSED

Severity

LOW

CVSS Base Score

WorkAround

Affected CVE

Severity

low

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 18.04
Cflinuxfs3

Description

As a security improvement, this update prevents OpenSSL from returning an error when detecting wrong padding in PKCS#1 v1.5 RSA, to prevent its use in possible Bleichenbacher timing attacks. Update Instructions: Run `sudo pro fix USN-6663-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl1.1 - 1.1.1-1ubuntu2.1~18.04.23+esm5 libssl-dev - 1.1.1-1ubuntu2.1~18.04.23+esm5 openssl - 1.1.1-1ubuntu2.1~18.04.23+esm5 libssl-doc - 1.1.1-1ubuntu2.1~18.04.23+esm5 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

VMware Tanzu Application Service for VMs

4.4.32 or greater
5.0.25 or greater
5.1.2 or greater

Cf Deployment

30.0.0 or greater

References

https://ubuntu.com/security/notices/USN-6663-1

https://www.cloudfoundry.org/blog/usn-6663-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6663-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24683

History

2024-02-27: Initial vulnerability report published.