Recent Open SSL security advisory

Support for security such as Firewalls and securing linux
Post Reply
Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Recent Open SSL security advisory

Post by Whoever » 2023/02/07 20:06:39

Is CentOS 7 affected by this advisory:

OpenSSL Security Advisory [7th February 2023]
=============================================

X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
...

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Recent Open SSL security advisory

Post by jlehtone » 2023/02/07 20:47:48

https://access.redhat.com/security/cve/cve-2023-0286 seems to say: "yes, but its not critical enough to fix".

rklrkl
Posts: 75
Joined: 2005/10/22 22:06:04
Location: U.K.

Re: Recent Open SSL security advisory

Post by rklrkl » 2023/02/09 14:44:48

RHEL 7 is in its "Maintenance Support 2" tier until 30th June 2024 and it looks like that particular CVE, though rated "high" by openssl.org, was downgraded to "moderate" by Red hat because the vulnerability only occurs if you modify the way it handles certificate revocation lists (which RHEL's implementation doesn't).

The problem is that there's 8 security vulnerabilities that have been fixed with the latest OpenSSL 3.0.8 and 1.1.1t releases, but there is no "free" fix for any 1.0.2 release (which is what RHEL 7/CentOS 7 uses). If you want a fixed 1.0.2 release from openssl.org, you have to pay them $50,000 a year (I kid you not).

So if Red Hat don't fix it for RHEL 7, we won't see official CentOS 7 fixes either and with no free download of a fixed 1.0.2 release from openssl.org, there will be no "official" way to get a fix for the 8 vulnerabilities, even though RHEL 7/CentOS 7 still have over a year of support left. Yes, in theory you could look at the source diffs for the 1.1.1 fixes and try to apply them to the 1.0.2k CentOS 7 source, but it's all messy and you're not guaranteed that 1.1.1 fixes can be easily backported to 1.0.2 anyway.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Recent Open SSL security advisory

Post by TrevorH » 2023/02/09 15:53:25

Most of the openssl vulnerabilities listed there are not applicable to 1.0.2 anyway - https://www.openssl.org/news/secadv/20230207.txt

CVE-2023-0401 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0217 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2023-0216 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4450 - OpenSSL 1.0.2 is not affected by this issue.
CVE-2023-0215 - affected
CVE-2022-4203 - OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
CVE-2022-4304 - affected
CVE-2023-0286 - affected but this is the one that RH say is almost impossible to exploit

So of those 8, 5 are not applicable to 1.0.2 at all.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Lonzak
Posts: 1
Joined: 2023/03/02 08:08:32

Re: Recent Open SSL security advisory

Post by Lonzak » 2023/03/02 08:18:03

CVE-2023-0215 - affected
CVE-2022-4304 - affected
CVE-2023-0286 - affected (today maybe almost impossible to exploit, but tomorrow nobody knows)

In the end 1 exploit is enough to be vulnerable. No chance explaining this to the security department in a company...
And it doesn't seem that these 3 CVE's are fixed thus CentOS (in this regard) is not maintained anymore.
The only solution is to switch to some other distro now (not in 2024). I mean the death was foreseeable it just came a bit earlier than expected.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Recent Open SSL security advisory

Post by TrevorH » 2023/03/02 10:17:20

It's no CentOS, it's RHEL 7 as well.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply