An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openssl | Openssl | 3.0.0 (including) | 3.0.7 (including) |
| Red Hat Enterprise Linux 9 | RedHat | openssl-1:3.0.1-47.el9_1 | * |
| Red Hat Enterprise Linux 9 | RedHat | openssl-1:3.0.1-47.el9_1 | * |
| Red Hat Enterprise Linux 9.0 Extended Update Support | RedHat | openssl-1:3.0.1-46.el9_0 | * |
| Edk2 | Ubuntu | trusty | * |
| Edk2 | Ubuntu | xenial | * |
| Nodejs | Ubuntu | trusty | * |
| Openssl | Ubuntu | devel | * |
| Openssl | Ubuntu | jammy | * |
| Openssl | Ubuntu | kinetic | * |
| Openssl | Ubuntu | lunar | * |
| Openssl | Ubuntu | mantic | * |
| Openssl | Ubuntu | trusty | * |
| Openssl | Ubuntu | upstream | * |
| Openssl | Ubuntu | xenial | * |
Potential Mitigations
References
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
- https://security.gentoo.org/glsa/202402-08
- https://www.openssl.org/news/secadv/20230207.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
- https://security.gentoo.org/glsa/202402-08
- https://www.openssl.org/news/secadv/20230207.txt