USN-6709-1: OpenSSL vulnerabilities
24687
07 August 2024
16 July 2024
CLOSED
LOW
CVE-2023-3446;CVE-2023-3817;CVE-2023-5678;CVE-2024-0727
Severity
low
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 18.04
- Cflinuxfs3
Description
It was discovered that checking excessively long DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-3446) After the fix for CVE-2023-3446 Bernd Edlinger discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-3817) David Benjamin discovered that generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-5678) Bahaa Naamneh discovered that processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack. (CVE-2024-0727) Update Instructions: Run `sudo pro fix USN-6709-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl1.0-dev - 1.0.2n-1ubuntu5.13+esm1 libssl1.0.0 - 1.0.2n-1ubuntu5.13+esm1 openssl1.0 - 1.0.2n-1ubuntu5.13+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.
Fixed VMware Products and Versions
- Cflinuxfs3
- 0.388.0 or greater
- Platform Automation Toolkit
- 4.432 or greater
- 5.0.25 or greater
- 5.1.2 or greater
- CF Deployment
- 30.0.0 or greater
References
https://ubuntu.com/security/notices/USN-6709-1
https://www.cloudfoundry.org/blog/usn-6709-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6709-1
History
2024-03-21: Initial vulnerability report published.