Description
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Exploits (1)
References (11)
Core 11
Core References
Various Sources
https://www.couchbase.com/alerts/
Third Party Advisory
https://www.debian.org/security/2023/dsa-5417
Third Party Advisory
https://security.gentoo.org/glsa/202402-08
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230406-0006/
Vendor Advisory vendor-advisory
https://www.openssl.org/news/secadv/20230322.txt
Mailing List, Patch patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
Mailing List, Patch patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
Mailing List, Patch patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
Scores
CVSS v3
7.5
EPSS
0.0080
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
openssl/openssl
1.0.2 - 1.0.2zh
Published
Mar 22, 2023
Tracked Since
Feb 18, 2026