CVE Vulnerabilities

CVE-2023-0466

Improper Certificate Validation

Published: Mar 28, 2023 | Modified: Feb 04, 2024
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Ubuntu
NEGLIGIBLE

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.

Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 1.0.2 (including) 1.0.2zh (excluding)
Openssl Openssl 1.1.1 (including) 1.1.1u (excluding)
Openssl Openssl 3.0.0 (including) 3.0.9 (excluding)
Openssl Openssl 3.1.0 (including) 3.1.1 (excluding)
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1k-16.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.1.1k-16.el7jbcs *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.7-16.el9_2 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.7-16.el9_2 *
Red Hat JBoss Core Services 1 RedHat openssl *
Red Hat JBoss Web Server 5 RedHat openssl *
Red Hat JBoss Web Server 5.7 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el7jws *
Red Hat JBoss Web Server 5.7 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el8jws *
Red Hat JBoss Web Server 5.7 on RHEL 9 RedHat jws5-tomcat-native-0:1.2.31-16.redhat_16.el9jws *
Edk2 Ubuntu bionic *
Edk2 Ubuntu focal *
Edk2 Ubuntu jammy *
Edk2 Ubuntu kinetic *
Edk2 Ubuntu lunar *
Edk2 Ubuntu mantic *
Edk2 Ubuntu trusty *
Edk2 Ubuntu xenial *
Nodejs Ubuntu jammy *
Nodejs Ubuntu trusty *
Openssl Ubuntu bionic *
Openssl Ubuntu devel *
Openssl Ubuntu esm-infra/xenial *
Openssl Ubuntu fips-preview/jammy *
Openssl Ubuntu fips-updates/bionic *
Openssl Ubuntu fips-updates/focal *
Openssl Ubuntu fips-updates/jammy *
Openssl Ubuntu fips-updates/xenial *
Openssl Ubuntu fips/bionic *
Openssl Ubuntu fips/focal *
Openssl Ubuntu fips/xenial *
Openssl Ubuntu focal *
Openssl Ubuntu jammy *
Openssl Ubuntu kinetic *
Openssl Ubuntu lunar *
Openssl Ubuntu mantic *
Openssl Ubuntu noble *
Openssl Ubuntu oracular *
Openssl Ubuntu trusty *
Openssl Ubuntu trusty/esm *
Openssl Ubuntu upstream *
Openssl Ubuntu xenial *
Openssl1.0 Ubuntu bionic *

Potential Mitigations

References