Use-after-free following BIO_new_NDEF
CVE-2023-0215

7.5HIGH

Key Information:

Vendor

OpenSSL
Status
OpenSSL
Vendor
CVE Published:
8 February 2023

What is CVE-2023-0215?

A use-after-free vulnerability exists in the OpenSSL library's BIO_new_NDEF function. This flaw can be triggered under specific conditions, such as when an invalid CMS recipient public key is used. The BIO_new_NDEF function creates a new BIO chain and returns it while failing to properly clean up in the event of an error. This oversight allows for the original BIO to maintain pointers to a freed filter BIO. If an application subsequently calls BIO_pop() on the original BIO, it can lead to a crash, impacting various public API functions and command line utilities that rely on these BIO operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenSSL 3.0.0 < 3.0.8

OpenSSL 1.1.1 < 1.1.1t

OpenSSL 1.0.2 < 1.0.2zg

References

https://www.openssl.org/news/secadv/20230207.txt
vendor-advisory
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...
patch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Octavio Galland (Max Planck Institute for Security and Privacy)
Marcel Böhme (Max Planck Institute for Security and Privacy)
Viktor Dukhovni
Matt Caswell
JSON
.