Is PIM/PAMSC affected by OpenSSL Security Advisory [22nd March 2023]
search cancel

Is PIM/PAMSC affected by OpenSSL Security Advisory [22nd March 2023]

book

Article ID: 263001

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

OpenSSL team announced Security Advisory on 22 Mar 2023.  It this CVE-2023-0464 affect on PIM or PAMSC all version?

Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464)
===========================================================================

Severity: Low

A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints.  Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.

OpenSSL 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next releases when they
become available. The fix is also available in commit 2017771e (for 3.1),
commit 959c59c7 (for 3.0), commit 879f7080 (for 1.1.1) in the OpenSSL
git repository, and commit 2dcd4f1e (for 1.0.2) in the OpenSSL git
repository for premium customers.

Once they are released:

OpenSSL 3.1 users should upgrade to 3.1.1.
OpenSSL 3.0 users should upgrade to 3.0.9.
OpenSSL 1.1.1 users should upgrade to 1.1.1u.
OpenSSL 1.0.2 users should upgrade to 1.0.2zh (premium support customers only).

This issue was reported on 12th January 2023 by David Benjamin (Google).
The fix was developed by Dr Paul Dale.

OpenSSL 1.1.1 will reach end-of-life on 2023-09-11. After that date security
fixes for 1.1.1 will only be available to premium support customers.

Environment

Privileged Access Manager Server Control
Release : 14.x

Privileged Identity Manager
Release : 12.8 x

Resolution

we are using the openssl (1.0.2f for windows and for Linux we are using the OS provided openssl version) only for the creation of activemq certificate.
As this vulnerability is most likely to affect applications that have implemented their own functionality for retrieving CRLs over a network.
As per our knowledge, we do not use any custom implementation for CRL retrieval in our applications or services.

Powered by Wolken Software