ROSA LABROSA-SA-2024-2366Advisory ROSA-SA-2024-2366
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.1%
Software: openssl 1.1.1v
OS: ROSA-CHROME
package_evr_string: openssl-1.1.1.1v-1.src.rpm
CVE-ID: CVE-2023-2650
BDU-ID: 2023-03652
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the OpenSSL library is associated with uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service using specially crafted data
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update openssl
CVE-ID: CVE-2023-0466
BDU-ID: 2023-04973
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the X509_VERIFY_PARAM_add0_policy() function of the OpenSSL library is related to errors in the certificate authentication procedure. Exploitation of the vulnerability could allow an attacker acting remotely to perform a man-in-the-middle attack
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update openssl
CVE-ID: CVE-2023-0465
BDU-ID: None
CVE-Crit: MEDIUM
CVE-DESC.: Applications that use a non-standard option when validating certificates may be vulnerable to attack by a malicious certificate authority to bypass certain checks. Invalid certificate policies in the final certificate are silently ignored by OpenSSL, and other certificate policy checks for that certificate are skipped. A malicious CA can use this to intentionally assert invalid certificate policies to bypass certificate policy checks altogether. Policy handling is disabled by default, but can be enabled by passing the “-policy” argument to command line utilities or by calling the “X509_VERIFY_PARAM_set1_policies()” function.
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update openssl
CVE-ID: CVE-2023-0464
BDU-ID: 2023-02108
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the OpenSSL cryptographic library is related to X.509 certificate chain validation. Exploitation of the vulnerability could allow an attacker acting remotely to create a malicious certificate chain that triggers exponential utilization of computing resources, resulting in a denial-of-service (DoS) attack on vulnerable systems.
CVE-STATUS: Resolved
CVE-REV: To close, run the command: sudo dnf update openssl
CVE-ID: CVE-2023-3817
BDU-ID: 2023-04960
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the DH_check(), DH_check_ex(), and EVP_PKEY_param_check() functions of the OpenSSL library involves excessive iteration. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update openssl
CVE-ID: CVE-2023-3446
BDU-ID: 2023-04957
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions of the OpenSSL library involves the use of a regular expression with inefficient computational complexity. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update openssl
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.4 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
65.1%