CVE-2023-0465: Invalid certificate policies in leaf certificates are silently ignored
First published: Tue Mar 28 2023(Updated: )
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Credit: openssl-security@openssl.org openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | >=1.0.2<1.0.2zh | |
| OpenSSL OpenSSL | >=1.1.1<1.1.1u | |
| OpenSSL OpenSSL | >=3.0.0<3.0.9 | |
| OpenSSL OpenSSL | >=3.1.0<3.1.1 | |
| debian/openssl | <=1.1.1n-0+deb10u3 | 1.1.1n-0+deb10u6 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.11-1~deb12u2 3.1.4-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- https://security.netapp.com/advisory/ntap-20230414-0001/
- https://www.debian.org/security/2023/dsa-5417
- https://www.openssl.org/news/secadv/20230328.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d2f0d05807fc70c68dcc22bcc6979147782d4adf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dda529ecc2d085488eef60235ef553dc5fd6e6dc
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f675d164e5d9648c3537a0f5efe1cc2fd232b4a9
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=23a4cbeb3ad80da3830f760f624599f24236bc38
- https://security-tracker.debian.org/tracker/CVE-2023-0465
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182591
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182592
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182597
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182593
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182598
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182594
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182599
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182589
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182590
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182595
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2182600
- https://access.redhat.com/errata/RHSA-2023:3722
- https://access.redhat.com/security/cve/cve-2023-0465
- https://access.redhat.com/errata/RHSA-2023:7622
- https://access.redhat.com/errata/RHSA-2023:7623
- https://access.redhat.com/errata/RHSA-2023:7625
- https://access.redhat.com/errata/RHSA-2023:7626
- https://bugzilla.redhat.com/show_bug.cgi?id=2182561
- https://security.gentoo.org/glsa/202402-08
Frequently Asked Questions
What is CVE-2023-0465?
CVE-2023-0465 is a vulnerability that affects applications using a non-default option when verifying certificates, making them vulnerable to attacks from malicious certificate authorities.
How does CVE-2023-0465 impact OpenSSL?
CVE-2023-0465 affects OpenSSL by allowing invalid certificate policies in leaf certificates to be silently ignored and certain certificate policy checks to be skipped.
Which versions of OpenSSL are affected by CVE-2023-0465?
OpenSSL versions 1.1.1n-0+deb10u3 to 1.1.1n-0+deb10u6, 1.1.1n-0+deb11u4 to 1.1.1n-0+deb11u5, 3.0.9-1 to 3.0.11-1 are affected by CVE-2023-0465.
How can I fix CVE-2023-0465 in OpenSSL?
To fix CVE-2023-0465 in OpenSSL, update to version 1.1.1n-0+deb10u6 or higher for Debian 10, and version 1.1.1n-0+deb11u5 or higher for Debian 11.
Where can I find more information about CVE-2023-0465?
You can find more information about CVE-2023-0465 on the OpenSSL security advisory at https://www.openssl.org/news/secadv/20230328.txt and the associated commits in the OpenSSL Git repository.
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-0465
- agent/severity
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/first-publish-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.0.2
- version/openssl openssl/1.1.1
- version/openssl openssl/3.0.0
- version/openssl openssl/3.1.0
- package-manager/debian