- 35/2023
- High
OpenSSL has released security updates to fix multiple vulnerabilities in multiple versions.
The addressed vulnerability could allow the remote attacker to obtain sensitive information, or cause a denial of service attack by passing arbitrary pointers to a memcmp call or sending an overly large number of trial messages for decryption on the affected systems.
Sample of the addressed vulnerabilities:
1. OpenSSL Denial of Service (CVE-2023-0286):
• CVSS: 8.2
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Denial of Service
2. OpenSSL Information Disclosure (CVE-2022-4304):
• CVSS: 7.5
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Obtain Information
Affected versions:
• 1.0.2, 1.1.1
• 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7
Vulnerabilities
- CVE-2023-0286
- CVE-2022-4304
- CVE-2022-4203
- CVE-2023-0215
- CVE-2022-4450
- CVE-2023-0216
- CVE-2023-0217
- CVE-2023-0401
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.