CVE Vulnerabilities

CVE-2023-0286

Access of Resource Using Incompatible Type ('Type Confusion')

Published: Feb 08, 2023 | Modified: Feb 04, 2024
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.4 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Ubuntu
HIGH

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Weakness

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 1.0.2 (including) 1.0.2zg (excluding)
Openssl Openssl 1.1.1 (including) 1.1.1t (excluding)
Openssl Openssl 3.0.0 (including) 3.0.8 (excluding)
JBCS httpd 2.4.51.sp2 RedHat openssl *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1k-14.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.1.1k-14.el7jbcs *
Red Hat Enterprise Linux 6 Extended Lifecycle Support RedHat openssl-0:1.0.1e-61.el6_10 *
Red Hat Enterprise Linux 7 RedHat openssl-1:1.0.2k-26.el7_9 *
Red Hat Enterprise Linux 8 RedHat edk2-0:20220126gitbb1bba3d77-4.el8 *
Red Hat Enterprise Linux 8 RedHat openssl-1:1.1.1k-9.el8_7 *
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions RedHat openssl-1:1.1.1c-6.el8_1 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat edk2-0:20190829git37eef91017ad-9.el8_2.2 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat openssl-1:1.1.1c-21.el8_2 *
Red Hat Enterprise Linux 8.2 Telecommunications Update Service RedHat edk2-0:20190829git37eef91017ad-9.el8_2.2 *
Red Hat Enterprise Linux 8.2 Telecommunications Update Service RedHat openssl-1:1.1.1c-21.el8_2 *
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions RedHat edk2-0:20190829git37eef91017ad-9.el8_2.2 *
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions RedHat openssl-1:1.1.1c-21.el8_2 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat edk2-0:20200602gitca407c7246bf-4.el8_4.3 *
Red Hat Enterprise Linux 8.4 Extended Update Support RedHat openssl-1:1.1.1g-18.el8_4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat edk2-0:20200602gitca407c7246bf-4.el8_4.3 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat edk2-0:20200602gitca407c7246bf-4.el8_4.3 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat edk2-0:20220126gitbb1bba3d77-2.el8_6.1 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat openssl-1:1.1.1k-8.el8_6 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-47.el9_1 *
Red Hat Enterprise Linux 9 RedHat edk2-0:20221207gitfff6d81270b5-9.el9_2 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-47.el9_1 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat openssl-1:3.0.1-46.el9_0 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat edk2-0:20220126gitbb1bba3d77-3.el9_0.2 *
Red Hat JBoss Web Server 5 RedHat openssl *
Red Hat JBoss Web Server 5.7 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el7jws *
Red Hat JBoss Web Server 5.7 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el8jws *
Red Hat JBoss Web Server 5.7 on RHEL 9 RedHat jws5-tomcat-native-0:1.2.31-14.redhat_14.el9jws *
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 RedHat redhat-virtualization-host-0:4.5.3-202309130206_8.6 *
Edk2 Ubuntu bionic *
Edk2 Ubuntu kinetic *
Edk2 Ubuntu lunar *
Edk2 Ubuntu trusty *
Edk2 Ubuntu xenial *
Nodejs Ubuntu jammy *
Nodejs Ubuntu trusty *
Openssl Ubuntu bionic *
Openssl Ubuntu devel *
Openssl Ubuntu esm-infra/bionic *
Openssl Ubuntu esm-infra/xenial *
Openssl Ubuntu fips-updates/bionic *
Openssl Ubuntu fips-updates/focal *
Openssl Ubuntu fips-updates/xenial *
Openssl Ubuntu fips/bionic *
Openssl Ubuntu fips/focal *
Openssl Ubuntu fips/xenial *
Openssl Ubuntu focal *
Openssl Ubuntu jammy *
Openssl Ubuntu kinetic *
Openssl Ubuntu lunar *
Openssl Ubuntu mantic *
Openssl Ubuntu noble *
Openssl Ubuntu trusty *
Openssl Ubuntu trusty/esm *
Openssl Ubuntu upstream *
Openssl Ubuntu xenial *
Openssl1.0 Ubuntu bionic *
Openssl1.0 Ubuntu esm-infra/bionic *

Extended Description

When the product accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access. While this weakness is frequently associated with unions when parsing data with many different embedded object types in C, it can be present in any application that can interpret the same variable or memory location in multiple ways. This weakness is not unique to C and C++. For example, errors in PHP applications can be triggered by providing array parameters when scalars are expected, or vice versa. Languages such as Perl, which perform automatic conversion of a variable of one type when it is accessed as if it were another type, can also contain these issues.

References