- Vulnerability/
- USN-5844-1
USN-5844-1: OpenSSL vulnerabilities
First published: Tue Feb 07 2023(Updated: )
David Benjamin discovered that OpenSSL incorrectly handled X.400 address processing. A remote attacker could possibly use this issue to read arbitrary memory contents or cause OpenSSL to crash, resulting in a denial of service. (CVE-2023-0286) Corey Bonnell discovered that OpenSSL incorrectly handled X.509 certificate verification. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2022-4203) Hubert Kario discovered that OpenSSL had a timing based side channel in the OpenSSL RSA Decryption implementation. A remote attacker could possibly use this issue to recover sensitive information. (CVE-2022-4304) Dawei Wang discovered that OpenSSL incorrectly handled parsing certain PEM data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2022-4450) Octavio Galland and Marcel Böhme discovered that OpenSSL incorrectly handled streaming ASN.1 data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-0215) Marc Schönefeld discovered that OpenSSL incorrectly handled malformed PKCS7 data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2023-0216) Kurt Roeckx discovered that OpenSSL incorrectly handled validating certain DSA public keys. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2023-0217) Hubert Kario and Dmitry Belyavsky discovered that OpenSSL incorrectly validated certain signatures. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2023-0401)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/libssl3 | <3.0.5-2ubuntu2.1 | 3.0.5-2ubuntu2.1 |
| Ubuntu | =22.10 | |
| All of | ||
| ubuntu/libssl3 | <3.0.2-0ubuntu1.8 | 3.0.2-0ubuntu1.8 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/libssl1.1 | <1.1.1f-1ubuntu2.17 | 1.1.1f-1ubuntu2.17 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/libssl1.1 | <1.1.1-1ubuntu2.1~18.04.21 | 1.1.1-1ubuntu2.1~18.04.21 |
| Ubuntu | =18.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2023-0217
- https://ubuntu.com/security/CVE-2022-4304
- https://ubuntu.com/security/CVE-2023-0215
- https://ubuntu.com/security/CVE-2022-4450
- https://ubuntu.com/security/CVE-2023-0286
- https://ubuntu.com/security/CVE-2023-0401
- https://ubuntu.com/security/CVE-2022-4203
- https://ubuntu.com/security/CVE-2023-0216
- https://ubuntu.com/security/notices/USN-6564-1
- https://ubuntu.com/security/notices/USN-5845-1
- https://ubuntu.com/security/notices/USN-5845-2
- https://launchpad.net/ubuntu/+source/openssl/3.0.5-2ubuntu2.1
- https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.8
- https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.17
- https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.21
- https://ubuntu.com/security/notices/USN-5844-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-5844-1?
The severity of USN-5844-1 is considered high due to potential remote code execution and denial of service risks.
How do I fix USN-5844-1?
To fix USN-5844-1, upgrade to the fixed versions of libssl3 or libssl1.1 as specified in the advisory.
What are the affected versions in USN-5844-1?
Affected versions in USN-5844-1 include libssl3 for Ubuntu 22.10 and 22.04, and libssl1.1 for Ubuntu 20.04 and 18.04.
Who discovered the vulnerabilities in USN-5844-1?
David Benjamin and Corey Bonnell discovered the vulnerabilities addressed in USN-5844-1.
What types of attacks are possible due to USN-5844-1?
USN-5844-1 may allow remote attackers to read arbitrary memory contents or cause OpenSSL to crash.
- agent/references
- agent/severity
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/title
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/usn
- source/Ubuntu
- anchor-related/USN-6564-1
- anchor-related/USN-5845-1
- anchor-related/USN-5845-2
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu
- version/ubuntu/22.10
- version/ubuntu/22.04
- version/ubuntu/20.04
- version/ubuntu/18.04