USN-6854-1: OpenSSL vulnerability
24760
22 August 2024
22 August 2024
CLOSED
MEDIUM
CVE-2022-40735
Severity
medium
Vendor
VMware Tanzu
Versions Affected
- Canonical Ubuntu 22.04
- Cflinuxfs4
- Operations Manager Image 3.0.x
Description
It was discovered that OpenSSL failed to choose an appropriately short private key size when computing shared-secrets in the Diffie-Hellman Key Agreement Protocol. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. Update Instructions: Run `sudo pro fix USN-6854-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl-dev - 3.0.2-0ubuntu1.16 libssl-doc - 3.0.2-0ubuntu1.16 libssl3 - 3.0.2-0ubuntu1.16 openssl - 3.0.2-0ubuntu1.16 No subscription required.
Fixed VMware Products and Versions
- Cflinuxfs4
- 1.99.0 or greater
- Jammy Stemcells
- 1.486
References
https://ubuntu.com/security/notices/USN-6854-1
https://www.cloudfoundry.org/blog/usn-6854-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6854-1
History
2024-06-27: Initial vulnerability report published.