Описание
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.
A security vulnerability has been identified in all supported OpenSSL versions related to verifying X.509 certificate chains that include policy constraints. This flaw allows attackers to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial of service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or calling the X509_VERIFY_PARAM_set1_policies()' function.
Отчет
This vulnerability is classified as low severity because policy processing in OpenSSL is disabled by default, meaning that most deployments are unaffected unless explicitly configured to enable policy checks. Additionally, while the flaw can cause exponential computational resource consumption, it does not allow for remote code execution, memory corruption, or data exfiltration—limiting its impact to a denial-of-service (DoS) condition. Exploiting this issue also requires an attacker to supply a specifically crafted X.509 certificate chain, which is only feasible in scenarios where certificate validation of untrusted chains is performed, further reducing the practical risk.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | openssl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | openssl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ovmf | Out of support scope | ||
| Red Hat Enterprise Linux 8 | compat-openssl10 | Will not fix | ||
| Red Hat Enterprise Linux 8 | edk2 | Not affected | ||
| Red Hat Enterprise Linux 8 | openssl | Will not fix | ||
| Red Hat Enterprise Linux 8 | shim | Fix deferred | ||
| Red Hat Enterprise Linux 9 | compat-openssl11 | Will not fix | ||
| Red Hat Enterprise Linux 9 | edk2 | Not affected | ||
| Red Hat Enterprise Linux 9 | shim | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
A security vulnerability has been identified in all supported versions ...
5.9 Medium
CVSS3