| Vulnerability Name: | CVE-2023-0217 (CCN-246619) |
| Assigned: | 2023-02-07 |
| Published: | 2023-02-07 |
| Updated: | 2023-02-24 |
| Summary: | An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. |
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None | | Scope: | Scope (S): Unchanged
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): High |
|
| CVSS v2 Severity: | 7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
| | Impact Metrics: | Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete |
|
| Vulnerability Consequences: | Denial of Service |
| References: | Source: MITRE
Type: CNA
CVE-2023-0217
Source: XF
Type: UNKNOWN
openssl-cve20230217-dos(246619)
Source: openssl-security@openssl.org
Type: UNKNOWN
openssl-security@openssl.org
Source: CCN
Type: Packet Storm Security [02-08-2023]
OpenSSL Toolkit 3.0.8
Source: CCN
Type: Packet Storm Security [02-07-2023]
OpenSSL Security Advisory 20230207
Source: CCN
Type: IBM Security Bulletin 6959033 (Business Automation Workflow traditional)
Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor
Source: CCN
Type: IBM Security Bulletin 6960753 (Aspera faspio Gateway)
IBM Aspera faspio Gateway 1.3.2 has addressed multiple openssl vulnerabilities (CVE-2023-0401, CVE-2022-4203, CVE-2022-4304, CVE-2023-0216, CVE-2023-0215, CVE-2022-4450, CVE-2023-0217, CVE-2023-0286)
Source: CCN
Type: IBM Security Bulletin 6962773 (QRadar WinCollect Agent)
IBM QRadar WinCollect agent has multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6963634 (App Connect Enterprise)
Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus
Source: CCN
Type: IBM Security Bulletin 6963784 (Spectrum Protect Client)
Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
Source: CCN
Type: IBM Security Bulletin 6964854 (AIX)
Multiple vulnerabilities in OpenSSL affect AIX
Source: CCN
Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus
Source: CCN
Type: IBM Security Bulletin 6984697 (MobileFirst Foundation)
OpenSSL publicly disclosed vulnerability affects IBM? MobileFirst Platform
Source: CCN
Type: IBM Security Bulletin 6985831 (MQ)
IBM MQ Advanced Message Security on IBM i platform is affected by multiple issues in OpenSSL (CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401)
Source: CCN
Type: IBM Security Bulletin 6995593 (Spectrum Copy Data Management)
Vulnerabilities in OpenSSL might affect IBM Spectrum Copy Data Management (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
Source: CCN
Type: IBM Security Bulletin 7001689 (MaaS360)
IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway, Configuration Utility, VPN, Certificate and Base Module affected by multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 7003757 (Spectrum Control)
IBM Spectrum Control is vulnerable to multiple weaknesses related to OpenSSL
Source: CCN
Type: IBM Security Bulletin 7008987 (Tivoli Netcool System Service Monitors/Application Service Monitors)
Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286,CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
Source: CCN
Type: IBM Security Bulletin 7014451 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities
Source: CCN
Type: OpenSSL Security Advisory [7th February 2023]
NULL dereference validating DSA public key (CVE-2023-0217)
Source: openssl-security@openssl.org
Type: Vendor Advisory
openssl-security@openssl.org
|
| Vulnerable Configuration: | Configuration RedHat 1:
cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*Configuration RedHat 2:
cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*Configuration RedHat 3:
cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*Configuration RedHat 4:
cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*
Configuration CCN 1:
cpe:/a:openssl:openssl:3.0.1:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.2:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.3:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.4:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.0:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.5:*:*:*:*:*:*:*OR cpe:/a:openssl:openssl:3.0.6:*:*:*:*:*:*:*AND cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:*OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:*OR cpe:/a:ibm:mq:8.0:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:spectrum_protect_client:8.1.0.0:*:*:*:*:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:*OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*
 Denotes that component is vulnerable |
| Oval Definitions |
|
| BACK |