#VU80565 Input validation error in OpenSSL


Published: 2023-09-08 | Updated: 2023-09-11

Vulnerability identifier: #VU80565

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4807

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the POLY1305 MAC (message authentication code) implementation. A remote attacker can send specially crafted input to the application and corrupt MM registers on Windows 64 platform, resulting in a denial of service condition.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 3.1.0 - 3.1.2, 3.0.0 - 3.0.10, 1.1.1 - 1.1.1v

External links
http://www.openssl.org/news/secadv/20230908.txt
http://github.com/openssl/openssl/releases/tag/OpenSSL_1_1_1w

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in IBM Sterling Connect:Direct Web Service
Input validation error in IBM Host On-Demand
Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools
Multiple vulnerabilities in Juniper Networks Junos cRPD
Multiple vulnerabilities in Juniper Cloud Native Router
Multiple vulnerabilities in Siemens Telecontrol Server Basic
Multiple vulnerabilities in IBM Maximo Application Suite
Multiple vulnerabilities in IBM Rational ClearCase
Input validation error in IBM Rational ClearQuest