This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37 ((OTRS)) Community Edition: from 6.0.X through 6.0.34. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. Lack of TLS certificate verification in log transmission of a financial module within LINE Client for iOS prior to 13.16.0. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. The OpenSSL SSL/TLS implementation is not affected by this issue. Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). An application calling any of those other functions may similarly be affected. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |