Medium
Canonical Ubuntu
Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1 object identifiers. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, resulting in a denial of service. (CVE-2023-2650) Anton Romanov discovered that OpenSSL incorrectly handled AES-XTS cipher decryption on 64-bit ARM platforms. An attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-1255) Update Instructions: Run sudo pro fix USN-6119-1
to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl1.0.0 – 1.0.2n-1ubuntu5.13 libssl1.0-dev – 1.0.2n-1ubuntu5.13 openssl1.0 – 1.0.2n-1ubuntu5.13 No subscription required libssl-dev – 1.1.1-1ubuntu2.1~18.04.23 openssl – 1.1.1-1ubuntu2.1~18.04.23 libssl-doc – 1.1.1-1ubuntu2.1~18.04.23 libssl1.1 – 1.1.1-1ubuntu2.1~18.04.23 No subscription required
CVEs contained in this USN include: CVE-2023-1255, CVE-2023-2650.
Severity is medium unless otherwise noted.
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
2023-06-29: Initial vulnerability report published.
CPE | Name | Operator | Version |
---|---|---|---|
bionic stemcells | lt | 1.204 | |
cflinuxfs3 | lt | 0.369.0 | |
cflinuxfs4 | lt | 1.13.0 | |
jammy stemcells | lt | 1.125 | |
cf deployment | lt | 30.0.0 |