You are here

OpenSSL Vulnerabilities Fixed in Version 1.1.1u, 3.0.9, and 3.1.1

IDs: 
CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2023-1255
Keywords: 
openssl
Description: 

OpenSSL released versions 1.1.1u, 3.0.9, and 3.1.1 fixing 5 vulnerabilities [1][2]

Currently supported Airlock Gateway and Microgateway versions use OpenSSL 1.1.1 and 3.0.8 to handle front-side/downstream TLS connections

Details:

The vulnerabilities CVE-2023-0464, CVE-2023-0465 and CVE-2023-0466, addressed by the new OpenSSL releases exploit the usage of non-default options when verifying certificates.
Airlock Gateway does not use these non-default options and is therefore not affected.

The vulnerability CVE-2023-1255 does only affect ARM architecture and does therefore not affect Airlock Gateway.

However, an attacker might exploit the vulnerability CVE-2023-2650 to expend significant resources verifying client certificates. Exploiting this vulnerability may in some cases cause a denial-of-service attack.

Hotfix HF0053 for Gateway and Microgateway 3.3.6 is available to update OpenSSL.

Resolution: 

We recommend to apply the hotfix and update Microgateway when available.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
No action required