#VU75388 Out-of-bounds read in OpenSSL


Published: 2023-04-20 | Updated: 2023-10-11

Vulnerability identifier: #VU75388

Vulnerability risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-1255

CWE-ID: CWE-125

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the AES-XTS cipher decryption implementation for 64 bit ARM platform. An attacker with ability to control the size and location of the ciphertext buffer can trigger an out-of-bounds read and crash the application.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 3.1.0, 3.0.0 - 3.0.8

External links
http://www.openssl.org/news/secadv/20230420.txt

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Multiple vulnerabilities in IBM Storage Protect for Virtual Environments: Data Protection for Microsoft Hyper-V
Multiple vulnerabilities in IBM Storage Protect for Virtual Environments: Data Protection for VMware
Multiple vulnerabilities in IBM QRadar WinCollect Agent
Multiple Vulnerabilities in IBM CloudPak for Watson AIOps
VMware Tanzu products update for OpenSSL
Multiple vulnerabilities in Tenable Sensor Proxy
Multiple vulnerabilities in cert-manager Operator for Red Hat OpenShift
Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13
Multiple vulnerabilities in OpenShift Container Platform 4.13