Nessus is labeling the severity as medium

Michael Mueller abaci.mjm at gmail.com
Wed Apr 5 00:23:11 UTC 2023


CVE-2023-0464 has a base score of 7.5 and base severity of HIGH in the NVD
(attached).

That score and the description of the problem are misaligned in my opinion
(meaning, I agree with the LOW severity - our app is not affected).

But there are project managers in our organization that use NVD as the
reference, and seeing the HIGH, are requiring a 30 day remediation deadline.

Us devs are caught in the middle.

Best regards and thanks for all you do,
Mike Mueller


On Tue, Apr 4, 2023 at 7:06 PM Dr Paul Dale <pauli at openssl.org> wrote:

> I was discussing CVE-2023-0466 which seemed to be the relevant one.
> Looking again, the table you included isn't overly clear (to me at least)
> what it's referring to.
>
> Dr Paul Dale
>
> On 5/4/23 09:02, Dr Paul Dale wrote:
>
> We do not have a firm release date for 1.1.1u at this point.  As per our
> policy, LOW severity CVE are not release triggering and this one is
> considered LOW severity by the project.  Baring other eventualities, three
> months is a likely time frame.
>
> I'll note that the issue here was in the documentation and that the fix is
> purely a documentation change.  This change is already available online on
> our web site:
>
>
> https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html
>
>
> Dr Paul Dale
>
> On 4/4/23 23:16, Joslin, Jack via openssl-users wrote:
>
> Hello,
>
> When will OpenSSL 1.1.1u be released?
>
> Tenable indicates the vulnerability severity of 1.1.1t as medium. I found
> this post indicating that there is no ETA on the release of OpenSSL 1.1.1u
> and that it may not be released for 3 months.
>
> OpenSSL Security Advisory
> <https://mta.openssl.org/pipermail/openssl-users/2023-March/016106.html>
>
> From Nessus/Tenable scan:
>
> Plugin Plugin Name Severity Plugin Output Solution Risk Factor CVE
> 173260 OpenSSL 1.1.1 < 1.1.1u Multiple Vulnerabilities Medium Plugin
> Output:
>   Banner           : Apache/2.4.56 (Unix) OpenSSL/1.1.1t mod_perl/2.0.9
> Perl/v5.8.8
>   Reported version : 1.1.1t
>   Fixed version    : 1.1.1u Upgrade to OpenSSL version 1.1.1u or later.
> Medium CVE-2023-0464, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466
> Regards,
>
> Jack Joslin
>
> Business Services Outsourcing Center (BSOC)
>
> General Dynamics, Information Technology
>
> 327 Columbia Turnpike, Rensselaer, NY 12144
>
> jack.joslin at gdit.com
>
> m: +1.321.431.5117
>
> Follow us on Facebook <http://www.facebook.com/OfficialCSRA> | Twitter
> <http://www.twitter.com/csra_inc> | LinkedIn
> <http://www.linkedin.com/company/csra_inc>
>
> This electronic message transmission contains information from GDIT which
> may be attorney-client privileged, proprietary or confidential.  The
> information in this message is intended only for use by the individual(s)
> to whom it is addressed.  If you believe you have received this message in
> error, please contact me immediately and be aware that any use, disclosure,
> copying or distribution of the contents of this message is strictly
> prohibited. NOTE: Regardless of content, this e-mail shall not operate to
> bind GDIT to any order or other contract unless pursuant to explicit
> written agreement or government initiative expressly permitting the use of
> e-mail for such purpose
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230404/fd364983/attachment-0001.htm>
-------------- next part --------------
urlOpenssl = https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=openssl&pubStartDate=2023-03-21T00:00:00.000&pubEndDate=2023-03-30T00:00:00.000
Openssl results:
{
    "resultsPerPage": 3,
    "startIndex": 0,
    "totalResults": 3,
    "format": "NVD_CVE",
    "version": "2.0",
    "timestamp": "2023-04-04T12:49:39.487",
    "vulnerabilities": [
        {
            "cve": {
                "id": "CVE-2023-0464",
                "sourceIdentifier": "openssl-security at openssl.org",
                "published": "2023-03-22T17:15:13.130",
                "lastModified": "2023-03-29T19:37:35.303",
                "vulnStatus": "Analyzed",
                "descriptions": [
                    {
                        "lang": "en",
                        "value": "A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function."
                    }
                ],
                "metrics": {
                    "cvssMetricV31": [
                        {
                            "source": "nvd at nist.gov",
                            "type": "Primary",
                            "cvssData": {
                                "version": "3.1",
                                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                                "attackVector": "NETWORK",
                                "attackComplexity": "LOW",
                                "privilegesRequired": "NONE",
                                "userInteraction": "NONE",
                                "scope": "UNCHANGED",
                                "confidentialityImpact": "NONE",
                                "integrityImpact": "NONE",
                                "availabilityImpact": "HIGH",
                                "baseScore": 7.5,
                                "baseSeverity": "HIGH"
                            },
                            "exploitabilityScore": 3.9,
                            "impactScore": 3.6
                        }
                    ]
                },
                "weaknesses": [
                    {
                        "source": "nvd at nist.gov",
                        "type": "Primary",
                        "description": [
                            {
                                "lang": "en",
                                "value": "CWE-295"
                            }
                        ]
                    }
                ],
                "configurations": [
                    {
                        "nodes": [
                            {
                                "operator": "OR",
                                "negate": false,
                                "cpeMatch": [
                                    {
                                        "vulnerable": true,
                                        "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
                                        "versionStartIncluding": "1.0.2",
                                        "versionEndExcluding": "1.0.2zh",
                                        "matchCriteriaId": "23F912E9-9126-4D16-8F77-BD41CED6774D"
                                    },
                                    {
                                        "vulnerable": true,
                                        "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
                                        "versionStartIncluding": "1.1.1",
                                        "versionEndExcluding": "1.1.1u",
                                        "matchCriteriaId": "7D99C2F8-BE74-4912-8653-A2AEE387AAF9"
                                    },
                                    {
                                        "vulnerable": true,
                                        "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
                                        "versionStartIncluding": "3.0.0",
                                        "versionEndExcluding": "3.0.9",
                                        "matchCriteriaId": "4C637E94-F5EC-4D4B-836F-8C8219F1ECEC"
                                    },
                                    {
                                        "vulnerable": true,
                                        "criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*",
                                        "versionStartIncluding": "3.1.0",
                                        "versionEndExcluding": "3.1.1",
                                        "matchCriteriaId": "68821BE0-7889-48B0-888D-CEC8BB9BDEA9"
                                    }
                                ]
                            }
                        ]
                    }
                ],
                "references": [
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545",
                        "source": "openssl-security at openssl.org",
                        "tags": [
                            "Mailing List",
                            "Patch"
                        ]
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b",
                        "source": "openssl-security at openssl.org",
                        "tags": [
                            "Mailing List",
                            "Patch"
                        ]
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1",
                        "source": "openssl-security at openssl.org",
                        "tags": [
                            "Mailing List",
                            "Patch"
                        ]
                    },
                    {
                        "url": "https://www.openssl.org/news/secadv/20230322.txt",
                        "source": "openssl-security at openssl.org",
                        "tags": [
                            "Vendor Advisory"
                        ]
                    }
                ]
            }
        },
        {
            "cve": {
                "id": "CVE-2023-0465",
                "sourceIdentifier": "openssl-security at openssl.org",
                "published": "2023-03-28T15:15:06.820",
                "lastModified": "2023-03-28T16:28:12.823",
                "vulnStatus": "Undergoing Analysis",
                "descriptions": [
                    {
                        "lang": "en",
                        "value": "Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function."
                    }
                ],
                "metrics": {},
                "references": [
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=10325176f3d3e98c6e2b3bf5ab1e3b334de6947a",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=facfb1ab745646e97a1920977ae4a9965ea61d5c",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://www.openssl.org/news/secadv/20230328.txt",
                        "source": "openssl-security at openssl.org"
                    }
                ]
            }
        },
        {
            "cve": {
                "id": "CVE-2023-0466",
                "sourceIdentifier": "openssl-security at openssl.org",
                "published": "2023-03-28T15:15:06.880",
                "lastModified": "2023-03-28T16:28:12.823",
                "vulnStatus": "Undergoing Analysis",
                "descriptions": [
                    {
                        "lang": "en",
                        "value": "The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications."
                    }
                ],
                "metrics": {},
                "references": [
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061",
                        "source": "openssl-security at openssl.org"
                    },
                    {
                        "url": "https://www.openssl.org/news/secadv/20230328.txt",
                        "source": "openssl-security at openssl.org"
                    }
                ]
            }
        }
    ]
}
Oracle Tuxedo results:
{
    "resultsPerPage": 0,
    "startIndex": 0,
    "totalResults": 0,
    "format": "NVD_CVE",
    "version": "2.0",
    "timestamp": "2023-04-04T12:49:41.913",
    "vulnerabilities": []
}


More information about the openssl-users mailing list