First published: Wed Jan 25 2023(Updated: )
A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. This may result in an application crash which could lead to a denial of service. The TLS implementation in OpenSSL does not call this function, however, third party applications might call these functions on untrusted data.
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openssl | <1:3.0.1-47.el9_1 | 1:3.0.1-47.el9_1 |
redhat/openssl | <1:3.0.1-46.el9_0 | 1:3.0.1-46.el9_0 |
OpenSSL OpenSSL | >=3.0.0<=3.0.7 | |
Stormshield Stormshield Management Center | <3.3.3 | |
rust/openssl-src | >=300.0.0<300.0.12 | 300.0.12 |
debian/openssl | 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.14-1~deb12u1 3.0.14-1~deb12u2 3.3.2-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-0216 is a vulnerability in OpenSSL that allows an invalid pointer dereference on read, leading to a denial of service.
CVE-2023-0216 can be triggered when an application tries to load malformed PKCS7 data using the d2i_PKCS7() functions in OpenSSL.
CVE-2023-0216 has a severity level of high with a severity value of 7.
CVE-2023-0216 affects OpenSSL versions up to but excluding 3.0.7, as well as StormShield Management Center versions up to but excluding 3.3.3.
Yes, a fix has been provided for CVE-2023-0216. For OpenSSL, upgrade to version 1:3.0.1-47.el9_1 or 1:3.0.1-46.el9_0. For StormShield Management Center, upgrade to version 3.3.3 or later.