Описание
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer.
Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
A flaw was found in aws-lc, a cryptographic library. An unauthenticated attacker can exploit improper certificate validation within the PKCS7_verify() function. This allows them to bypass the verification process for certificate chains when handling PKCS7 objects that contain multiple digital signers, except for the last one. The primary consequence is a compromise of integrity, as the system may incorrectly trust unverified certificates.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-operator-bundle | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-builder-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-payload-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-rhel9-operator | Affected | ||
| Red Hat Enterprise Linux 10 | clevis-pin-trustee | Will not fix | ||
| Red Hat Enterprise Linux 10 | trustee | Will not fix | ||
| Red Hat Enterprise Linux 10 | virt-firmware-rs | Affected | ||
| Red Hat Enterprise Linux 9 | clevis-pin-trustee | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | kata-containers | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0.
EPSS
7.5 High
CVSS3