Support Content Notification - Support Portal

USN-6854-1: OpenSSL vulnerability

Product/Component

Notification Id

24760

Last Updated

22 August 2024

Initial Publication Date

22 August 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2022-40735

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 22.04
Cflinuxfs4
Operations Manager Image 3.0.x

Description

It was discovered that OpenSSL failed to choose an appropriately short private key size when computing shared-secrets in the Diffie-Hellman Key Agreement Protocol. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. Update Instructions: Run `sudo pro fix USN-6854-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl-dev - 3.0.2-0ubuntu1.16 libssl-doc - 3.0.2-0ubuntu1.16 libssl3 - 3.0.2-0ubuntu1.16 openssl - 3.0.2-0ubuntu1.16 No subscription required.

Fixed VMware Products and Versions

Cflinuxfs4

1.99.0 or greater

Jammy Stemcells

1.486

References

https://ubuntu.com/security/notices/USN-6854-1

https://www.cloudfoundry.org/blog/usn-6854-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6854-1

History

2024-06-27: Initial vulnerability report published.