Vulnerability Name:

CVE-2023-0401 (CCN-246618)

Assigned:2023-02-07
Published:2023-02-07
Updated:2023-07-19
Summary:OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference during PKCS7 data verification. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2023-0401

Source: XF
Type: UNKNOWN
openssl-cve20230401-dos(246618)

Source: openssl-security@openssl.org
Type: Patch, Vendor Advisory
openssl-security@openssl.org

Source: CCN
Type: Packet Storm Security [02-08-2023]
OpenSSL Toolkit 3.0.8

Source: CCN
Type: Packet Storm Security [02-07-2023]
OpenSSL Security Advisory 20230207

Source: CCN
Type: IBM Security Bulletin 6959033 (Business Automation Workflow traditional)
Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor

Source: CCN
Type: IBM Security Bulletin 6960753 (Aspera faspio Gateway)
IBM Aspera faspio Gateway 1.3.2 has addressed multiple openssl vulnerabilities (CVE-2023-0401, CVE-2022-4203, CVE-2022-4304, CVE-2023-0216, CVE-2023-0215, CVE-2022-4450, CVE-2023-0217, CVE-2023-0286)

Source: CCN
Type: IBM Security Bulletin 6962773 (QRadar WinCollect Agent)
IBM QRadar WinCollect agent has multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6963634 (App Connect Enterprise)
Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus

Source: CCN
Type: IBM Security Bulletin 6963784 (Spectrum Protect Client)
Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)

Source: CCN
Type: IBM Security Bulletin 6964854 (AIX)
Multiple vulnerabilities in OpenSSL affect AIX

Source: CCN
Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus)
Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6984697 (MobileFirst Foundation)
OpenSSL publicly disclosed vulnerability affects IBM? MobileFirst Platform

Source: CCN
Type: OpenSSL Security Advisory [7th February 2023]
NULL dereference during PKCS7 data verification (CVE-2023-0401)

Source: openssl-security@openssl.org
Type: Vendor Advisory
openssl-security@openssl.org

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:9:*:*:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:9::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openssl:openssl:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:3.0.6:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_client:8.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7631
    P
    		libopenssl-3-devel-3.0.8-150500.3.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20230946
    P
    		RHSA-2023:0946: openssl security and bug fix update (Important)
    2023-03-21
    BACK
    openssl openssl 3.0.1
    openssl openssl 3.0.2
    openssl openssl 3.0.3
    openssl openssl 3.0.4
    openssl openssl 3.0.0
    openssl openssl 3.0.5
    openssl openssl 3.0.6
    ibm aix 7.1
    ibm aix 7.2
    ibm spectrum protect plus 10.1.0
    ibm integration bus 10.0.0.0
    ibm app connect 11.0.0.1
    ibm vios 3.1
    ibm app connect enterprise 12.0.1.0
    ibm aix 7.3
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm business automation workflow 21.0.1
    ibm spectrum protect client 8.1.0.0
    ibm business automation workflow 22.0.1
    ibm business automation workflow 22.0.2