Severity

low

Vendor

VMware Tanzu

Versions Affected

• Canonical Ubuntu 18.04
• Cflinuxfs3

Description

It was discovered that checking excessively long DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-3446) After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-3817) David Benjamin discovered that generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-5678) Bahaa Naamneh discovered that processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack. (CVE-2024-0727) Update Instructions: Run `sudo pro fix USN-6709-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl1.0-dev - 1.0.2n-1ubuntu5.13+esm1 libssl1.0.0 - 1.0.2n-1ubuntu5.13+esm1 openssl1.0 - 1.0.2n-1ubuntu5.13+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

• Cflinuxfs3
• 0.388.0 or greater
• Platform Automation Toolkit
• 4.432 or greater
• 5.0.25 or greater
• 5.1.2 or greater
• CF Deployment
• 30.0.0 or greater

References

https://ubuntu.com/security/notices/USN-6709-1

https://www.cloudfoundry.org/blog/usn-6709-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6709-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24687

History

2024-03-21: Initial vulnerability report published.