Matt Caswell

Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 3.3 (FIPS modules in 3.3, 3.2, 3.1, and 3.0 are not affected) Description: The issue is related to the `SSL free buffers` function in OpenSSL, which can cause memory to be accessed after it has been freed in certain situations. This can lead to corruption of valid data, crashes, or execution of arbitrary code. The function is used to free the internal OpenSSL buffer when processing an incoming record from the network. However, two scenarios have been identified where the buffer is freed even when still in use. A malicious attacker could attempt to engineer a situation where this occurs, although it is not aware of this issue being actively exploited. Recommendations: As a temporary workaround, consider disabling the `SSL free buffers` function until a patch is available. Restrict access to the vulnerable `SSL free buffers` function to minimize the risk of exploitation. Avoid using the `SSL free buffers` function in applications that directly call it, as these are the only applications affected by this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to the next release (exact version not specified) CPython version 3.9 and earlier **Description** The issue is related to the OpenSSL API function `SSL select next proto` which can cause a crash or memory contents to be sent to the peer when called with an empty supported client protocols buffer. This can result in a loss of confidentiality, with up to 255 bytes of arbitrary private data from memory being sent to the peer. The issue is typically not under attacker control and may occur by accident due to a configuration or programming error in the calling application. The `SSL select next proto` function is used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation), with NPN being older and deprecated in favor of ALPN. **Recommendations** For OpenSSL versions prior to the next release, there is no information about a newer version that contains a fix for this vulnerability. For CPython version 3.9 and earlier, ensure that `SSLContext.set npn protocols()` is not configured with an empty list to prevent the buffer over-read issue. As a temporary workaround, consider disabling the use of NPN in favor of ALPN to minimize the risk of exploitation. Restrict access to the `SSL select next proto` function to prevent accidental calls with empty client protocol buffers. Avoid using the `client len` parameter with a value of 0 when calling the `SSL select next proto` function. Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.3.0 **Description** The issue is related to unbounded memory growth when processing TLSv1.3 sessions due to the use of the non-default SSL OP NO TICKET option. This can lead to a Denial of Service. The problem occurs when the session cache gets into an incorrect state and fails to flush properly as it fills. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. This issue only affects TLS servers supporting TLSv1.3 and does not affect TLS clients. The FIPS modules in 3.2, 3.1, and 3.0 are not affected by this issue, nor is OpenSSL 1.0.2. **Recommendations** To resolve the issue, update to OpenSSL version 3.3.0 or later. As a temporary workaround, consider disabling the use of the SSL OP NO TICKET option in TLSv1.3 server configurations until a patch is available. Restrict access to TLSv1.3 sessions to minimize the risk of exploitation. Avoid using the `SSL OP NO TICKET` option in TLSv1.3 server configurations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.2 (excluding FIPS modules in 3.2, 3.1, and 3.0) **Description** The issue arises from the improper handling of NULL fields in PKCS12 files, leading to a potential Denial of Service attack. Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly due to a NULL pointer dereference. The affected OpenSSL APIs are: `PKCS12 parse()`, `PKCS12 unpack p7data()`, `PKCS12 unpack p7encdata()`, `PKCS12 unpack authsafes()`, and `PKCS12 newpass()`. **Recommendations** As a temporary workaround, consider disabling the use of `PKCS12 parse()`, `PKCS12 unpack p7data()`, `PKCS12 unpack p7encdata()`, `PKCS12 unpack authsafes()`, and `PKCS12 newpass()` functions until a patch is available. Restrict access to PKCS12 files from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 41.0.3 **Description** The issue is related to the functions `DH check()`, `DH check ex()`, and `EVP PKEY param check()` in the OpenSSL library. These functions can cause long delays when checking excessively long DH keys or parameters, potentially leading to a Denial of Service (DoS) attack if the key or parameters are obtained from an untrusted source. The `DH check()` function performs various checks on DH parameters, including confirming that the modulus (`p` parameter) is not too large. However, trying to use a very large modulus is slow, and OpenSSL will not normally use a modulus over 10,000 bits in length. The OpenSSL SSL/TLS implementation and the OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. **Recommendations** To resolve the issue, update to OpenSSL version 41.0.3 or later. As a temporary workaround, consider restricting the use of the `DH check()`, `DH check ex()`, and `EVP PKEY param check()` functions to minimize the risk of exploitation. Avoid using the `p` parameter with large modulus values in the affected functions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions prior to 3.0 OpenSSL versions 3.0 and newer MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier **Description** The issue is related to the processing of specially crafted ASN.1 object identifiers, which can cause significant delays in applications using the OpenSSL library. This can lead to a Denial of Service (DoS) condition. The `OBJ obj2txt()` function is used to translate an ASN.1 OBJECT IDENTIFIER to its canonical numeric text form, and when dealing with very large sub-identifiers, the translation can take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes. The impact is relatively low on TLS due to the 100KiB limit on the peer's certificate chain. Applications that call `OBJ obj2txt()` directly with untrusted data are affected, with any version of OpenSSL. **Recommendations** For OpenSSL versions prior to 3.0, consider upgrading to a newer version to mitigate the risk. For OpenSSL versions 3.0 and newer, ensure that the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS have message size limits in place to prevent excessive delays. For MySQL Server versions 5.7.42 and earlier, 8.0.33 and earlier, upgrade to a newer version to address the vulnerability. As a temporary workaround, consider disabling the `OBJ obj2txt()` function or restricting its use with untrusted data until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The issue is related to the handling of invalid certificate policies in leaf certificates by OpenSSL. When a non-default option is used for verifying certificates, applications may be vulnerable to an attack from a malicious Certificate Authority (CA) that could circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored, and other certificate policy checks are skipped for that certificate. A malicious CA could deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy` argument to the command line utilities or by calling the `X509 VERIFY PARAM set1 policies()` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier **Description** The public API function BIO new NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO f asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64 write ASN1() which may cause BIO new NDEF() to be called and will subsequently call BIO pop() on the BIO. Other public API functions that may be impacted by this include i2d ASN1 bio stream, BIO new CMS, BIO new PKCS7, i2d CMS bio stream and i2d PKCS7 bio stream. **Recommendations** For OpenSSL, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For MySQL Server versions 5.7.41 and earlier, 8.0.32 and earlier, update to a version that is not affected by this vulnerability. As a temporary workaround, consider disabling the `BIO new NDEF()` function until a patch is available. Restrict access to the vulnerable module `BIO f asn1` to minimize the risk of exploitation. Avoid using the `BIO pop()` function on the BIO until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** The function PEM read bio ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the `name out`, `header` and `data` arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM read bio ex() will return a failure code but will populate the `header` argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM read bio() and PEM read() are simple wrappers around PEM read bio ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM X509 INFO read bio ex() and SSL CTX use serverinfo file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the `header` argument if PEM read bio ex() returns a failure code. These locations include the PEM read bio TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.1 through 1.1.1c **Description** The issue is related to the random number generator (RNG) in OpenSSL, which was intended to protect against shared RNG state between parent and child processes after a fork() system call. However, this protection was not enabled by default. A mitigation factor is that the output from a high precision timer is mixed into the RNG state, reducing the likelihood of shared state. The problem does not occur if an application explicitly calls OPENSSL init crypto() using OPENSSL INIT ATFORK. **Recommendations** For OpenSSL versions 1.1.1 through 1.1.1c, update to version 1.1.1d to resolve the issue. As a temporary workaround, consider explicitly calling OPENSSL init crypto() using OPENSSL INIT ATFORK in applications to prevent the problem.

**Name of the Vulnerable Software and Affected Versions** Node.js (affected versions not specified) **Description** The issue concerns a TLS handshake failure due to the use of SSL read(), allowing an active network attacker to send application data to Node.js using the TLS or HTTP2 modules, bypassing TLS authentication and encryption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 1.0.2a (excluding 1.0.2a) **Description** The issue is related to the ssl3 client hello function in OpenSSL, which does not ensure the proper initialization of the pseudorandom number generator (PRNG) before the handshake procedure. This can be exploited by a remote attacker to bypass cryptographic protection mechanisms by analyzing network traffic and conducting a brute-force attack. **Recommendations** For OpenSSL versions 1.0.2 through 1.0.2a (excluding 1.0.2a), update to version 1.0.2a or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific issue.

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 through 1.0.2a (excluding 1.0.2a) **Description** The issue allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled. This is due to insufficient input validation in the ssl3 get client key exchange function. The vulnerability can be exploited by sending a ClientKeyExchange message of zero length during the authentication procedure when the Diffie-Hellman protocol is enabled. **Recommendations** For OpenSSL versions 1.0.2 through 1.0.2a (excluding 1.0.2a), update to version 1.0.2a or later to resolve the issue. As a temporary workaround, consider disabling the ephemeral Diffie-Hellman ciphersuite until a patch is available. Restrict access to the ssl3 get client key exchange function to minimize the risk of exploitation.