github.com/argoproj/argo-cd/v2@v2.10.9/docs/snyk/master/redis_7.0.11-alpine.html (about) 1 <!DOCTYPE html> 2 <html lang="en"> 3 4 <head> 5 <meta http-equiv="Content-type" content="text/html; charset=utf-8"> 6 <meta http-equiv="Content-Language" content="en-us"> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 8 <meta http-equiv="X-UA-Compatible" content="IE=edge"> 9 <title>Snyk test report</title> 10 <meta name="description" content="5 known vulnerabilities found in 41 vulnerable dependency paths."> 11 <base target="_blank"> 12 <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png" 13 sizes="194x194"> 14 <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico"> 15 <style type="text/css"> 16 17 body { 18 -moz-font-feature-settings: "pnum"; 19 -webkit-font-feature-settings: "pnum"; 20 font-variant-numeric: proportional-nums; 21 display: flex; 22 flex-direction: column; 23 font-feature-settings: "pnum"; 24 font-size: 100%; 25 line-height: 1.5; 26 min-height: 100vh; 27 -webkit-text-size-adjust: 100%; 28 margin: 0; 29 padding: 0; 30 background-color: #F5F5F5; 31 font-family: 'Arial', 'Helvetica', Calibri, sans-serif; 32 } 33 34 h1, 35 h2, 36 h3, 37 h4, 38 h5, 39 h6 { 40 font-weight: 500; 41 } 42 43 a, 44 a:link, 45 a:visited { 46 border-bottom: 1px solid #4b45a9; 47 text-decoration: none; 48 color: #4b45a9; 49 } 50 51 a:hover, 52 a:focus, 53 a:active { 54 border-bottom: 1px solid #4b45a9; 55 } 56 57 hr { 58 border: none; 59 margin: 1em 0; 60 border-top: 1px solid #c5c5c5; 61 } 62 63 ul { 64 padding: 0 1em; 65 margin: 1em 0; 66 } 67 68 code { 69 background-color: #EEE; 70 color: #333; 71 padding: 0.25em 0.5em; 72 border-radius: 0.25em; 73 } 74 75 pre { 76 background-color: #333; 77 font-family: monospace; 78 padding: 0.5em 1em 0.75em; 79 border-radius: 0.25em; 80 font-size: 14px; 81 } 82 83 pre code { 84 padding: 0; 85 background-color: transparent; 86 color: #fff; 87 } 88 89 a code { 90 border-radius: .125rem .125rem 0 0; 91 padding-bottom: 0; 92 color: #4b45a9; 93 } 94 95 a[href^="http://"]:after, 96 a[href^="https://"]:after { 97 background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E"); 98 background-repeat: no-repeat; 99 background-size: .75rem; 100 content: ""; 101 display: inline-block; 102 height: .75rem; 103 margin-left: .25rem; 104 width: .75rem; 105 } 106 107 108 /* Layout */ 109 110 [class*=layout-container] { 111 margin: 0 auto; 112 max-width: 71.25em; 113 padding: 1.9em 1.3em; 114 position: relative; 115 } 116 .layout-container--short { 117 padding-top: 0; 118 padding-bottom: 0; 119 max-width: 48.75em; 120 } 121 122 .layout-container--short:after { 123 display: block; 124 content: ""; 125 clear: both; 126 } 127 128 /* Header */ 129 130 .header { 131 padding-bottom: 1px; 132 } 133 134 .paths { 135 margin-left: 8px; 136 } 137 .header-wrap { 138 display: flex; 139 flex-direction: row; 140 justify-content: space-between; 141 padding-top: 2em; 142 } 143 .project__header { 144 background-color: #4b45a9; 145 color: #fff; 146 margin-bottom: -1px; 147 padding-top: 1em; 148 padding-bottom: 0.25em; 149 border-bottom: 2px solid #BBB; 150 } 151 152 .project__header__title { 153 overflow-wrap: break-word; 154 word-wrap: break-word; 155 word-break: break-all; 156 margin-bottom: .1em; 157 margin-top: 0; 158 } 159 160 .timestamp { 161 float: right; 162 clear: none; 163 margin-bottom: 0; 164 } 165 166 .meta-counts { 167 clear: both; 168 display: block; 169 flex-wrap: wrap; 170 justify-content: space-between; 171 margin: 0 0 1.5em; 172 color: #fff; 173 clear: both; 174 font-size: 1.1em; 175 } 176 177 .meta-count { 178 display: block; 179 flex-basis: 100%; 180 margin: 0 1em 1em 0; 181 float: left; 182 padding-right: 1em; 183 border-right: 2px solid #fff; 184 } 185 186 .meta-count:last-child { 187 border-right: 0; 188 padding-right: 0; 189 margin-right: 0; 190 } 191 192 /* Card */ 193 194 .card { 195 background-color: #fff; 196 border: 1px solid #c5c5c5; 197 border-radius: .25rem; 198 margin: 0 0 2em 0; 199 position: relative; 200 min-height: 40px; 201 padding: 1.5em; 202 } 203 204 .card .label { 205 background-color: #767676; 206 border: 2px solid #767676; 207 color: white; 208 padding: 0.25rem 0.75rem; 209 font-size: 0.875rem; 210 text-transform: uppercase; 211 display: inline-block; 212 margin: 0; 213 border-radius: 0.25rem; 214 } 215 216 .card .label__text { 217 vertical-align: text-top; 218 font-weight: bold; 219 } 220 221 .card .label--critical { 222 background-color: #AB1A1A; 223 border-color: #AB1A1A; 224 } 225 226 .card .label--high { 227 background-color: #CE5019; 228 border-color: #CE5019; 229 } 230 231 .card .label--medium { 232 background-color: #D68000; 233 border-color: #D68000; 234 } 235 236 .card .label--low { 237 background-color: #88879E; 238 border-color: #88879E; 239 } 240 241 .severity--low { 242 border-color: #88879E; 243 } 244 245 .severity--medium { 246 border-color: #D68000; 247 } 248 249 .severity--high { 250 border-color: #CE5019; 251 } 252 253 .severity--critical { 254 border-color: #AB1A1A; 255 } 256 257 .card--vuln { 258 padding-top: 4em; 259 } 260 261 .card--vuln .label { 262 left: 0; 263 position: absolute; 264 top: 1.1em; 265 padding-left: 1.9em; 266 padding-right: 1.9em; 267 border-radius: 0 0.25rem 0.25rem 0; 268 } 269 270 .card--vuln .card__section h2 { 271 font-size: 22px; 272 margin-bottom: 0.5em; 273 } 274 275 .card--vuln .card__section p { 276 margin: 0 0 0.5em 0; 277 } 278 279 .card--vuln .card__meta { 280 padding: 0 0 0 1em; 281 margin: 0; 282 font-size: 1.1em; 283 } 284 285 .card .card__meta__paths { 286 font-size: 0.9em; 287 } 288 289 .card--vuln .card__title { 290 font-size: 28px; 291 margin-top: 0; 292 } 293 294 .card--vuln .card__cta p { 295 margin: 0; 296 text-align: right; 297 } 298 299 .source-panel { 300 clear: both; 301 display: flex; 302 justify-content: flex-start; 303 flex-direction: column; 304 align-items: flex-start; 305 padding: 0.5em 0; 306 width: fit-content; 307 } 308 309 310 311 </style> 312 <style type="text/css"> 313 .metatable { 314 text-size-adjust: 100%; 315 -webkit-font-smoothing: antialiased; 316 -webkit-box-direction: normal; 317 color: inherit; 318 font-feature-settings: "pnum"; 319 box-sizing: border-box; 320 background: transparent; 321 border: 0; 322 font: inherit; 323 font-size: 100%; 324 margin: 0; 325 outline: none; 326 padding: 0; 327 text-align: left; 328 text-decoration: none; 329 vertical-align: baseline; 330 z-index: auto; 331 margin-top: 12px; 332 border-collapse: collapse; 333 border-spacing: 0; 334 font-variant-numeric: tabular-nums; 335 max-width: 51.75em; 336 } 337 338 tbody { 339 text-size-adjust: 100%; 340 -webkit-font-smoothing: antialiased; 341 -webkit-box-direction: normal; 342 color: inherit; 343 font-feature-settings: "pnum"; 344 border-collapse: collapse; 345 border-spacing: 0; 346 box-sizing: border-box; 347 background: transparent; 348 border: 0; 349 font: inherit; 350 font-size: 100%; 351 margin: 0; 352 outline: none; 353 padding: 0; 354 text-align: left; 355 text-decoration: none; 356 vertical-align: baseline; 357 z-index: auto; 358 display: flex; 359 flex-wrap: wrap; 360 } 361 362 .meta-row { 363 text-size-adjust: 100%; 364 -webkit-font-smoothing: antialiased; 365 -webkit-box-direction: normal; 366 color: inherit; 367 font-feature-settings: "pnum"; 368 border-collapse: collapse; 369 border-spacing: 0; 370 box-sizing: border-box; 371 background: transparent; 372 border: 0; 373 font: inherit; 374 font-size: 100%; 375 outline: none; 376 text-align: left; 377 text-decoration: none; 378 vertical-align: baseline; 379 z-index: auto; 380 display: flex; 381 align-items: start; 382 border-top: 1px solid #d3d3d9; 383 padding: 8px 0 0 0; 384 border-bottom: none; 385 margin: 8px; 386 width: 47.75%; 387 } 388 389 .meta-row-label { 390 text-size-adjust: 100%; 391 -webkit-font-smoothing: antialiased; 392 -webkit-box-direction: normal; 393 font-feature-settings: "pnum"; 394 border-collapse: collapse; 395 border-spacing: 0; 396 color: #4c4a73; 397 box-sizing: border-box; 398 background: transparent; 399 border: 0; 400 font: inherit; 401 margin: 0; 402 outline: none; 403 text-decoration: none; 404 z-index: auto; 405 align-self: start; 406 flex: 1; 407 font-size: 1rem; 408 line-height: 1.5rem; 409 padding: 0; 410 text-align: left; 411 vertical-align: top; 412 text-transform: none; 413 letter-spacing: 0; 414 } 415 416 .meta-row-value { 417 text-size-adjust: 100%; 418 -webkit-font-smoothing: antialiased; 419 -webkit-box-direction: normal; 420 color: inherit; 421 font-feature-settings: "pnum"; 422 border-collapse: collapse; 423 border-spacing: 0; 424 word-break: break-word; 425 box-sizing: border-box; 426 background: transparent; 427 border: 0; 428 font: inherit; 429 font-size: 100%; 430 margin: 0; 431 outline: none; 432 padding: 0; 433 text-align: right; 434 text-decoration: none; 435 vertical-align: baseline; 436 z-index: auto; 437 } 438 </style> 439 </head> 440 441 <body class="section-projects"> 442 <main class="layout-stacked"> 443 <div class="layout-stacked__header header"> 444 <header class="project__header"> 445 <div class="layout-container"> 446 <a class="brand" href="https://snyk.io" title="Snyk"> 447 <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img"> 448 <title>Snyk - Open Source Security</title> 449 <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd"> 450 <g fill="#fff"> 451 <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path> 452 </g> 453 </g> 454 </svg> 455 </a> 456 <div class="header-wrap"> 457 <h1 class="project__header__title">Snyk test report</h1> 458 459 <p class="timestamp">October 29th 2023, 12:15:46 am (UTC+00:00)</p> 460 </div> 461 <div class="source-panel"> 462 <span>Scanned the following path:</span> 463 <ul> 464 <li class="paths">redis:7.0.11-alpine (apk)</li> 465 </ul> 466 </div> 467 468 <div class="meta-counts"> 469 <div class="meta-count"><span>5</span> <span>known vulnerabilities</span></div> 470 <div class="meta-count"><span>41 vulnerable dependency paths</span></div> 471 <div class="meta-count"><span>18</span> <span>dependencies</span></div> 472 </div><!-- .meta-counts --> 473 </div><!-- .layout-container--short --> 474 </header><!-- .project__header --> 475 </div><!-- .layout-stacked__header --> 476 <section class="layout-container"> 477 <table class="metatable"> 478 <tbody> 479 <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|redis</td></tr> 480 <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:7.0.11-alpine</td></tr> 481 <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr> 482 483 </tbody> 484 </table> 485 </section> 486 <div class="layout-container" style="padding-top: 35px;"> 487 <div class="cards--vuln filter--patch filter--ignore"> 488 <div class="card card--vuln disclosure--not-new severity--critical" data-snyk-test="critical"> 489 <h2 class="card__title">Out-of-bounds Write</h2> 490 <div class="card__section"> 491 492 <div class="label label--critical"> 493 <span class="label__text">critical severity</span> 494 </div> 495 496 <hr/> 497 498 <ul class="card__meta"> 499 <li class="card__meta__item"> 500 Package Manager: alpine:3.18 501 </li> 502 <li class="card__meta__item"> 503 Vulnerable module: 504 505 busybox/busybox 506 </li> 507 508 <li class="card__meta__item">Introduced through: 509 510 docker-image|redis@7.0.11-alpine and busybox/busybox@1.36.1-r0 511 512 </li> 513 </ul> 514 515 <hr/> 516 517 518 <h3 class="card__section__title">Detailed paths</h3> 519 520 <ul class="card__meta__paths"> 521 <li> 522 <span class="list-paths__item__introduced"><em>Introduced through</em>: 523 docker-image|redis@7.0.11-alpine 524 <span class="list-paths__item__arrow">›</span> 525 busybox/busybox@1.36.1-r0 526 527 </span> 528 529 </li> 530 <li> 531 <span class="list-paths__item__introduced"><em>Introduced through</em>: 532 docker-image|redis@7.0.11-alpine 533 <span class="list-paths__item__arrow">›</span> 534 alpine-baselayout/alpine-baselayout@3.4.3-r1 535 <span class="list-paths__item__arrow">›</span> 536 busybox/busybox-binsh@1.36.1-r0 537 <span class="list-paths__item__arrow">›</span> 538 busybox/busybox@1.36.1-r0 539 540 </span> 541 542 </li> 543 <li> 544 <span class="list-paths__item__introduced"><em>Introduced through</em>: 545 docker-image|redis@7.0.11-alpine 546 <span class="list-paths__item__arrow">›</span> 547 busybox/busybox-binsh@1.36.1-r0 548 549 </span> 550 551 </li> 552 <li> 553 <span class="list-paths__item__introduced"><em>Introduced through</em>: 554 docker-image|redis@7.0.11-alpine 555 <span class="list-paths__item__arrow">›</span> 556 alpine-baselayout/alpine-baselayout@3.4.3-r1 557 <span class="list-paths__item__arrow">›</span> 558 busybox/busybox-binsh@1.36.1-r0 559 560 </span> 561 562 </li> 563 <li> 564 <span class="list-paths__item__introduced"><em>Introduced through</em>: 565 docker-image|redis@7.0.11-alpine 566 <span class="list-paths__item__arrow">›</span> 567 busybox/ssl_client@1.36.1-r0 568 569 </span> 570 571 </li> 572 </ul><!-- .list-paths --> 573 574 </div><!-- .card__section --> 575 576 <hr/> 577 <!-- Overview --> 578 <h2 id="nvd-description">NVD Description</h2> 579 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>busybox</code> package and not the <code>busybox</code> package as distributed by <code>Alpine</code>.</em> 580 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 581 <p>There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.</p> 582 <h2 id="remediation">Remediation</h2> 583 <p>Upgrade <code>Alpine:3.18</code> <code>busybox</code> to version 1.36.1-r1 or higher.</p> 584 <h2 id="references">References</h2> 585 <ul> 586 <li><a href="https://bugs.busybox.net/show_bug.cgi?id=15216">cve@mitre.org</a></li> 587 </ul> 588 589 <hr/> 590 591 <div class="cta card__cta"> 592 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-BUSYBOX-5890990">More about this vulnerability</a></p> 593 </div> 594 595 </div><!-- .card --> 596 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 597 <h2 class="card__title">Improper Authentication</h2> 598 <div class="card__section"> 599 600 <div class="label label--medium"> 601 <span class="label__text">medium severity</span> 602 </div> 603 604 <hr/> 605 606 <ul class="card__meta"> 607 <li class="card__meta__item"> 608 Package Manager: alpine:3.18 609 </li> 610 <li class="card__meta__item"> 611 Vulnerable module: 612 613 openssl/libcrypto3 614 </li> 615 616 <li class="card__meta__item">Introduced through: 617 618 docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 619 620 </li> 621 </ul> 622 623 <hr/> 624 625 626 <h3 class="card__section__title">Detailed paths</h3> 627 628 <ul class="card__meta__paths"> 629 <li> 630 <span class="list-paths__item__introduced"><em>Introduced through</em>: 631 docker-image|redis@7.0.11-alpine 632 <span class="list-paths__item__arrow">›</span> 633 openssl/libcrypto3@3.1.1-r1 634 635 </span> 636 637 </li> 638 <li> 639 <span class="list-paths__item__introduced"><em>Introduced through</em>: 640 docker-image|redis@7.0.11-alpine 641 <span class="list-paths__item__arrow">›</span> 642 .redis-rundeps@20230614.215749 643 <span class="list-paths__item__arrow">›</span> 644 openssl/libcrypto3@3.1.1-r1 645 646 </span> 647 648 </li> 649 <li> 650 <span class="list-paths__item__introduced"><em>Introduced through</em>: 651 docker-image|redis@7.0.11-alpine 652 <span class="list-paths__item__arrow">›</span> 653 apk-tools/apk-tools@2.14.0-r2 654 <span class="list-paths__item__arrow">›</span> 655 openssl/libcrypto3@3.1.1-r1 656 657 </span> 658 659 </li> 660 <li> 661 <span class="list-paths__item__introduced"><em>Introduced through</em>: 662 docker-image|redis@7.0.11-alpine 663 <span class="list-paths__item__arrow">›</span> 664 busybox/ssl_client@1.36.1-r0 665 <span class="list-paths__item__arrow">›</span> 666 openssl/libcrypto3@3.1.1-r1 667 668 </span> 669 670 </li> 671 <li> 672 <span class="list-paths__item__introduced"><em>Introduced through</em>: 673 docker-image|redis@7.0.11-alpine 674 <span class="list-paths__item__arrow">›</span> 675 .redis-rundeps@20230614.215749 676 <span class="list-paths__item__arrow">›</span> 677 openssl/libssl3@3.1.1-r1 678 <span class="list-paths__item__arrow">›</span> 679 openssl/libcrypto3@3.1.1-r1 680 681 </span> 682 683 </li> 684 <li> 685 <span class="list-paths__item__introduced"><em>Introduced through</em>: 686 docker-image|redis@7.0.11-alpine 687 <span class="list-paths__item__arrow">›</span> 688 openssl/libssl3@3.1.1-r1 689 690 </span> 691 692 </li> 693 <li> 694 <span class="list-paths__item__introduced"><em>Introduced through</em>: 695 docker-image|redis@7.0.11-alpine 696 <span class="list-paths__item__arrow">›</span> 697 .redis-rundeps@20230614.215749 698 <span class="list-paths__item__arrow">›</span> 699 openssl/libssl3@3.1.1-r1 700 701 </span> 702 703 </li> 704 <li> 705 <span class="list-paths__item__introduced"><em>Introduced through</em>: 706 docker-image|redis@7.0.11-alpine 707 <span class="list-paths__item__arrow">›</span> 708 apk-tools/apk-tools@2.14.0-r2 709 <span class="list-paths__item__arrow">›</span> 710 openssl/libssl3@3.1.1-r1 711 712 </span> 713 714 </li> 715 <li> 716 <span class="list-paths__item__introduced"><em>Introduced through</em>: 717 docker-image|redis@7.0.11-alpine 718 <span class="list-paths__item__arrow">›</span> 719 busybox/ssl_client@1.36.1-r0 720 <span class="list-paths__item__arrow">›</span> 721 openssl/libssl3@3.1.1-r1 722 723 </span> 724 725 </li> 726 </ul><!-- .list-paths --> 727 728 </div><!-- .card__section --> 729 730 <hr/> 731 <!-- Overview --> 732 <h2 id="nvd-description">NVD Description</h2> 733 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine:3.18</code>.</em> 734 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 735 <p>Issue summary: The AES-SIV cipher implementation contains a bug that causes 736 it to ignore empty associated data entries which are unauthenticated as 737 a consequence.</p> 738 <p>Impact summary: Applications that use the AES-SIV algorithm and want to 739 authenticate empty data entries as associated data can be mislead by removing 740 adding or reordering such empty entries as these are ignored by the OpenSSL 741 implementation. We are currently unaware of any such applications.</p> 742 <p>The AES-SIV algorithm allows for authentication of multiple associated 743 data entries along with the encryption. To authenticate empty data the 744 application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with 745 NULL pointer as the output buffer and 0 as the input buffer length. 746 The AES-SIV implementation in OpenSSL just returns success for such a call 747 instead of performing the associated data authentication operation. 748 The empty data thus will not be authenticated.</p> 749 <p>As this issue does not affect non-empty associated data authentication and 750 we expect it to be rare for an application to use empty associated data 751 entries this is qualified as Low severity issue.</p> 752 <h2 id="remediation">Remediation</h2> 753 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.1-r2 or higher.</p> 754 <h2 id="references">References</h2> 755 <ul> 756 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598">openssl-security@openssl.org</a></li> 757 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc">openssl-security@openssl.org</a></li> 758 <li><a href="https://www.openssl.org/news/secadv/20230714.txt">openssl-security@openssl.org</a></li> 759 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/15/1">openssl-security@openssl.org</a></li> 760 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/5">openssl-security@openssl.org</a></li> 761 <li><a href="https://security.netapp.com/advisory/ntap-20230725-0004/">openssl-security@openssl.org</a></li> 762 </ul> 763 764 <hr/> 765 766 <div class="cta card__cta"> 767 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5776808">More about this vulnerability</a></p> 768 </div> 769 770 </div><!-- .card --> 771 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 772 <h2 class="card__title">Inefficient Regular Expression Complexity</h2> 773 <div class="card__section"> 774 775 <div class="label label--medium"> 776 <span class="label__text">medium severity</span> 777 </div> 778 779 <hr/> 780 781 <ul class="card__meta"> 782 <li class="card__meta__item"> 783 Package Manager: alpine:3.18 784 </li> 785 <li class="card__meta__item"> 786 Vulnerable module: 787 788 openssl/libcrypto3 789 </li> 790 791 <li class="card__meta__item">Introduced through: 792 793 docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 794 795 </li> 796 </ul> 797 798 <hr/> 799 800 801 <h3 class="card__section__title">Detailed paths</h3> 802 803 <ul class="card__meta__paths"> 804 <li> 805 <span class="list-paths__item__introduced"><em>Introduced through</em>: 806 docker-image|redis@7.0.11-alpine 807 <span class="list-paths__item__arrow">›</span> 808 openssl/libcrypto3@3.1.1-r1 809 810 </span> 811 812 </li> 813 <li> 814 <span class="list-paths__item__introduced"><em>Introduced through</em>: 815 docker-image|redis@7.0.11-alpine 816 <span class="list-paths__item__arrow">›</span> 817 .redis-rundeps@20230614.215749 818 <span class="list-paths__item__arrow">›</span> 819 openssl/libcrypto3@3.1.1-r1 820 821 </span> 822 823 </li> 824 <li> 825 <span class="list-paths__item__introduced"><em>Introduced through</em>: 826 docker-image|redis@7.0.11-alpine 827 <span class="list-paths__item__arrow">›</span> 828 apk-tools/apk-tools@2.14.0-r2 829 <span class="list-paths__item__arrow">›</span> 830 openssl/libcrypto3@3.1.1-r1 831 832 </span> 833 834 </li> 835 <li> 836 <span class="list-paths__item__introduced"><em>Introduced through</em>: 837 docker-image|redis@7.0.11-alpine 838 <span class="list-paths__item__arrow">›</span> 839 busybox/ssl_client@1.36.1-r0 840 <span class="list-paths__item__arrow">›</span> 841 openssl/libcrypto3@3.1.1-r1 842 843 </span> 844 845 </li> 846 <li> 847 <span class="list-paths__item__introduced"><em>Introduced through</em>: 848 docker-image|redis@7.0.11-alpine 849 <span class="list-paths__item__arrow">›</span> 850 .redis-rundeps@20230614.215749 851 <span class="list-paths__item__arrow">›</span> 852 openssl/libssl3@3.1.1-r1 853 <span class="list-paths__item__arrow">›</span> 854 openssl/libcrypto3@3.1.1-r1 855 856 </span> 857 858 </li> 859 <li> 860 <span class="list-paths__item__introduced"><em>Introduced through</em>: 861 docker-image|redis@7.0.11-alpine 862 <span class="list-paths__item__arrow">›</span> 863 openssl/libssl3@3.1.1-r1 864 865 </span> 866 867 </li> 868 <li> 869 <span class="list-paths__item__introduced"><em>Introduced through</em>: 870 docker-image|redis@7.0.11-alpine 871 <span class="list-paths__item__arrow">›</span> 872 .redis-rundeps@20230614.215749 873 <span class="list-paths__item__arrow">›</span> 874 openssl/libssl3@3.1.1-r1 875 876 </span> 877 878 </li> 879 <li> 880 <span class="list-paths__item__introduced"><em>Introduced through</em>: 881 docker-image|redis@7.0.11-alpine 882 <span class="list-paths__item__arrow">›</span> 883 apk-tools/apk-tools@2.14.0-r2 884 <span class="list-paths__item__arrow">›</span> 885 openssl/libssl3@3.1.1-r1 886 887 </span> 888 889 </li> 890 <li> 891 <span class="list-paths__item__introduced"><em>Introduced through</em>: 892 docker-image|redis@7.0.11-alpine 893 <span class="list-paths__item__arrow">›</span> 894 busybox/ssl_client@1.36.1-r0 895 <span class="list-paths__item__arrow">›</span> 896 openssl/libssl3@3.1.1-r1 897 898 </span> 899 900 </li> 901 </ul><!-- .list-paths --> 902 903 </div><!-- .card__section --> 904 905 <hr/> 906 <!-- Overview --> 907 <h2 id="nvd-description">NVD Description</h2> 908 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 909 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 910 <p>Issue summary: Checking excessively long DH keys or parameters may be very slow.</p> 911 <p>Impact summary: Applications that use the functions DH_check(), DH_check_ex() 912 or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long 913 delays. Where the key or parameters that are being checked have been obtained 914 from an untrusted source this may lead to a Denial of Service.</p> 915 <p>The function DH_check() performs various checks on DH parameters. One of those 916 checks confirms that the modulus ('p' parameter) is not too large. Trying to use 917 a very large modulus is slow and OpenSSL will not normally use a modulus which 918 is over 10,000 bits in length.</p> 919 <p>However the DH_check() function checks numerous aspects of the key or parameters 920 that have been supplied. Some of those checks use the supplied modulus value 921 even if it has already been found to be too large.</p> 922 <p>An application that calls DH_check() and supplies a key or parameters obtained 923 from an untrusted source could be vulernable to a Denial of Service attack.</p> 924 <p>The function DH_check() is itself called by a number of other OpenSSL functions. 925 An application calling any of those other functions may similarly be affected. 926 The other functions affected by this are DH_check_ex() and 927 EVP_PKEY_param_check().</p> 928 <p>Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications 929 when using the '-check' option.</p> 930 <p>The OpenSSL SSL/TLS implementation is not affected by this issue. 931 The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.</p> 932 <h2 id="remediation">Remediation</h2> 933 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.1-r3 or higher.</p> 934 <h2 id="references">References</h2> 935 <ul> 936 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb">openssl-security@openssl.org</a></li> 937 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528">openssl-security@openssl.org</a></li> 938 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c">openssl-security@openssl.org</a></li> 939 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23">openssl-security@openssl.org</a></li> 940 <li><a href="https://www.openssl.org/news/secadv/20230719.txt">openssl-security@openssl.org</a></li> 941 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/4">openssl-security@openssl.org</a></li> 942 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/5">openssl-security@openssl.org</a></li> 943 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/19/6">openssl-security@openssl.org</a></li> 944 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/31/1">openssl-security@openssl.org</a></li> 945 <li><a href="https://security.netapp.com/advisory/ntap-20230803-0011/">openssl-security@openssl.org</a></li> 946 <li><a href="https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html">openssl-security@openssl.org</a></li> 947 </ul> 948 949 <hr/> 950 951 <div class="cta card__cta"> 952 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5788370">More about this vulnerability</a></p> 953 </div> 954 955 </div><!-- .card --> 956 <div class="card card--vuln disclosure--not-new severity--medium" data-snyk-test="medium"> 957 <h2 class="card__title">Excessive Iteration</h2> 958 <div class="card__section"> 959 960 <div class="label label--medium"> 961 <span class="label__text">medium severity</span> 962 </div> 963 964 <hr/> 965 966 <ul class="card__meta"> 967 <li class="card__meta__item"> 968 Package Manager: alpine:3.18 969 </li> 970 <li class="card__meta__item"> 971 Vulnerable module: 972 973 openssl/libcrypto3 974 </li> 975 976 <li class="card__meta__item">Introduced through: 977 978 docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 979 980 </li> 981 </ul> 982 983 <hr/> 984 985 986 <h3 class="card__section__title">Detailed paths</h3> 987 988 <ul class="card__meta__paths"> 989 <li> 990 <span class="list-paths__item__introduced"><em>Introduced through</em>: 991 docker-image|redis@7.0.11-alpine 992 <span class="list-paths__item__arrow">›</span> 993 openssl/libcrypto3@3.1.1-r1 994 995 </span> 996 997 </li> 998 <li> 999 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1000 docker-image|redis@7.0.11-alpine 1001 <span class="list-paths__item__arrow">›</span> 1002 .redis-rundeps@20230614.215749 1003 <span class="list-paths__item__arrow">›</span> 1004 openssl/libcrypto3@3.1.1-r1 1005 1006 </span> 1007 1008 </li> 1009 <li> 1010 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1011 docker-image|redis@7.0.11-alpine 1012 <span class="list-paths__item__arrow">›</span> 1013 apk-tools/apk-tools@2.14.0-r2 1014 <span class="list-paths__item__arrow">›</span> 1015 openssl/libcrypto3@3.1.1-r1 1016 1017 </span> 1018 1019 </li> 1020 <li> 1021 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1022 docker-image|redis@7.0.11-alpine 1023 <span class="list-paths__item__arrow">›</span> 1024 busybox/ssl_client@1.36.1-r0 1025 <span class="list-paths__item__arrow">›</span> 1026 openssl/libcrypto3@3.1.1-r1 1027 1028 </span> 1029 1030 </li> 1031 <li> 1032 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1033 docker-image|redis@7.0.11-alpine 1034 <span class="list-paths__item__arrow">›</span> 1035 .redis-rundeps@20230614.215749 1036 <span class="list-paths__item__arrow">›</span> 1037 openssl/libssl3@3.1.1-r1 1038 <span class="list-paths__item__arrow">›</span> 1039 openssl/libcrypto3@3.1.1-r1 1040 1041 </span> 1042 1043 </li> 1044 <li> 1045 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1046 docker-image|redis@7.0.11-alpine 1047 <span class="list-paths__item__arrow">›</span> 1048 openssl/libssl3@3.1.1-r1 1049 1050 </span> 1051 1052 </li> 1053 <li> 1054 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1055 docker-image|redis@7.0.11-alpine 1056 <span class="list-paths__item__arrow">›</span> 1057 .redis-rundeps@20230614.215749 1058 <span class="list-paths__item__arrow">›</span> 1059 openssl/libssl3@3.1.1-r1 1060 1061 </span> 1062 1063 </li> 1064 <li> 1065 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1066 docker-image|redis@7.0.11-alpine 1067 <span class="list-paths__item__arrow">›</span> 1068 apk-tools/apk-tools@2.14.0-r2 1069 <span class="list-paths__item__arrow">›</span> 1070 openssl/libssl3@3.1.1-r1 1071 1072 </span> 1073 1074 </li> 1075 <li> 1076 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1077 docker-image|redis@7.0.11-alpine 1078 <span class="list-paths__item__arrow">›</span> 1079 busybox/ssl_client@1.36.1-r0 1080 <span class="list-paths__item__arrow">›</span> 1081 openssl/libssl3@3.1.1-r1 1082 1083 </span> 1084 1085 </li> 1086 </ul><!-- .list-paths --> 1087 1088 </div><!-- .card__section --> 1089 1090 <hr/> 1091 <!-- Overview --> 1092 <h2 id="nvd-description">NVD Description</h2> 1093 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1094 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 1095 <p>Issue summary: Checking excessively long DH keys or parameters may be very slow.</p> 1096 <p>Impact summary: Applications that use the functions DH_check(), DH_check_ex() 1097 or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long 1098 delays. Where the key or parameters that are being checked have been obtained 1099 from an untrusted source this may lead to a Denial of Service.</p> 1100 <p>The function DH_check() performs various checks on DH parameters. After fixing 1101 CVE-2023-3446 it was discovered that a large q parameter value can also trigger 1102 an overly long computation during some of these checks. A correct q value, 1103 if present, cannot be larger than the modulus p parameter, thus it is 1104 unnecessary to perform these checks if q is larger than p.</p> 1105 <p>An application that calls DH_check() and supplies a key or parameters obtained 1106 from an untrusted source could be vulnerable to a Denial of Service attack.</p> 1107 <p>The function DH_check() is itself called by a number of other OpenSSL functions. 1108 An application calling any of those other functions may similarly be affected. 1109 The other functions affected by this are DH_check_ex() and 1110 EVP_PKEY_param_check().</p> 1111 <p>Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications 1112 when using the "-check" option.</p> 1113 <p>The OpenSSL SSL/TLS implementation is not affected by this issue.</p> 1114 <p>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.</p> 1115 <h2 id="remediation">Remediation</h2> 1116 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.2-r0 or higher.</p> 1117 <h2 id="references">References</h2> 1118 <ul> 1119 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5">openssl-security@openssl.org</a></li> 1120 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644">openssl-security@openssl.org</a></li> 1121 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f">openssl-security@openssl.org</a></li> 1122 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5">openssl-security@openssl.org</a></li> 1123 <li><a href="https://www.openssl.org/news/secadv/20230731.txt">openssl-security@openssl.org</a></li> 1124 <li><a href="http://www.openwall.com/lists/oss-security/2023/07/31/1">openssl-security@openssl.org</a></li> 1125 <li><a href="http://seclists.org/fulldisclosure/2023/Jul/43">openssl-security@openssl.org</a></li> 1126 <li><a href="https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html">openssl-security@openssl.org</a></li> 1127 <li><a href="https://security.netapp.com/advisory/ntap-20230818-0014/">openssl-security@openssl.org</a></li> 1128 <li><a href="http://www.openwall.com/lists/oss-security/2023/09/22/9">openssl-security@openssl.org</a></li> 1129 <li><a href="http://www.openwall.com/lists/oss-security/2023/09/22/11">openssl-security@openssl.org</a></li> 1130 <li><a href="https://security.netapp.com/advisory/ntap-20231027-0008/">openssl-security@openssl.org</a></li> 1131 </ul> 1132 1133 <hr/> 1134 1135 <div class="cta card__cta"> 1136 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-5821142">More about this vulnerability</a></p> 1137 </div> 1138 1139 </div><!-- .card --> 1140 <div class="card card--vuln disclosure--not-new severity--low" data-snyk-test="low"> 1141 <h2 class="card__title">CVE-2023-5363</h2> 1142 <div class="card__section"> 1143 1144 <div class="label label--low"> 1145 <span class="label__text">low severity</span> 1146 </div> 1147 1148 <hr/> 1149 1150 <ul class="card__meta"> 1151 <li class="card__meta__item"> 1152 Package Manager: alpine:3.18 1153 </li> 1154 <li class="card__meta__item"> 1155 Vulnerable module: 1156 1157 openssl/libcrypto3 1158 </li> 1159 1160 <li class="card__meta__item">Introduced through: 1161 1162 docker-image|redis@7.0.11-alpine and openssl/libcrypto3@3.1.1-r1 1163 1164 </li> 1165 </ul> 1166 1167 <hr/> 1168 1169 1170 <h3 class="card__section__title">Detailed paths</h3> 1171 1172 <ul class="card__meta__paths"> 1173 <li> 1174 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1175 docker-image|redis@7.0.11-alpine 1176 <span class="list-paths__item__arrow">›</span> 1177 openssl/libcrypto3@3.1.1-r1 1178 1179 </span> 1180 1181 </li> 1182 <li> 1183 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1184 docker-image|redis@7.0.11-alpine 1185 <span class="list-paths__item__arrow">›</span> 1186 .redis-rundeps@20230614.215749 1187 <span class="list-paths__item__arrow">›</span> 1188 openssl/libcrypto3@3.1.1-r1 1189 1190 </span> 1191 1192 </li> 1193 <li> 1194 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1195 docker-image|redis@7.0.11-alpine 1196 <span class="list-paths__item__arrow">›</span> 1197 apk-tools/apk-tools@2.14.0-r2 1198 <span class="list-paths__item__arrow">›</span> 1199 openssl/libcrypto3@3.1.1-r1 1200 1201 </span> 1202 1203 </li> 1204 <li> 1205 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1206 docker-image|redis@7.0.11-alpine 1207 <span class="list-paths__item__arrow">›</span> 1208 busybox/ssl_client@1.36.1-r0 1209 <span class="list-paths__item__arrow">›</span> 1210 openssl/libcrypto3@3.1.1-r1 1211 1212 </span> 1213 1214 </li> 1215 <li> 1216 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1217 docker-image|redis@7.0.11-alpine 1218 <span class="list-paths__item__arrow">›</span> 1219 .redis-rundeps@20230614.215749 1220 <span class="list-paths__item__arrow">›</span> 1221 openssl/libssl3@3.1.1-r1 1222 <span class="list-paths__item__arrow">›</span> 1223 openssl/libcrypto3@3.1.1-r1 1224 1225 </span> 1226 1227 </li> 1228 <li> 1229 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1230 docker-image|redis@7.0.11-alpine 1231 <span class="list-paths__item__arrow">›</span> 1232 openssl/libssl3@3.1.1-r1 1233 1234 </span> 1235 1236 </li> 1237 <li> 1238 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1239 docker-image|redis@7.0.11-alpine 1240 <span class="list-paths__item__arrow">›</span> 1241 .redis-rundeps@20230614.215749 1242 <span class="list-paths__item__arrow">›</span> 1243 openssl/libssl3@3.1.1-r1 1244 1245 </span> 1246 1247 </li> 1248 <li> 1249 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1250 docker-image|redis@7.0.11-alpine 1251 <span class="list-paths__item__arrow">›</span> 1252 apk-tools/apk-tools@2.14.0-r2 1253 <span class="list-paths__item__arrow">›</span> 1254 openssl/libssl3@3.1.1-r1 1255 1256 </span> 1257 1258 </li> 1259 <li> 1260 <span class="list-paths__item__introduced"><em>Introduced through</em>: 1261 docker-image|redis@7.0.11-alpine 1262 <span class="list-paths__item__arrow">›</span> 1263 busybox/ssl_client@1.36.1-r0 1264 <span class="list-paths__item__arrow">›</span> 1265 openssl/libssl3@3.1.1-r1 1266 1267 </span> 1268 1269 </li> 1270 </ul><!-- .list-paths --> 1271 1272 </div><!-- .card__section --> 1273 1274 <hr/> 1275 <!-- Overview --> 1276 <h2 id="nvd-description">NVD Description</h2> 1277 <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Alpine</code>.</em> 1278 <em>See <code>How to fix?</code> for <code>Alpine:3.18</code> relevant fixed versions and status.</em></p> 1279 <p>Issue summary: A bug has been identified in the processing of key and 1280 initialisation vector (IV) lengths. This can lead to potential truncation 1281 or overruns during the initialisation of some symmetric ciphers.</p> 1282 <p>Impact summary: A truncation in the IV can result in non-uniqueness, 1283 which could result in loss of confidentiality for some cipher modes.</p> 1284 <p>When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or 1285 EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after 1286 the key and IV have been established. Any alterations to the key length, 1287 via the "keylen" parameter or the IV length, via the "ivlen" parameter, 1288 within the OSSL_PARAM array will not take effect as intended, potentially 1289 causing truncation or overreading of these values. The following ciphers 1290 and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.</p> 1291 <p>For the CCM, GCM and OCB cipher modes, truncation of the IV can result in 1292 loss of confidentiality. For example, when following NIST's SP 800-38D 1293 section 8.2.1 guidance for constructing a deterministic IV for AES in 1294 GCM mode, truncation of the counter portion could lead to IV reuse.</p> 1295 <p>Both truncations and overruns of the key and overruns of the IV will 1296 produce incorrect results and could, in some cases, trigger a memory 1297 exception. However, these issues are not currently assessed as security 1298 critical.</p> 1299 <p>Changing the key and/or IV lengths is not considered to be a common operation 1300 and the vulnerable API was recently introduced. Furthermore it is likely that 1301 application developers will have spotted this problem during testing since 1302 decryption would fail unless both peers in the communication were similarly 1303 vulnerable. For these reasons we expect the probability of an application being 1304 vulnerable to this to be quite low. However if an application is vulnerable then 1305 this issue is considered very serious. For these reasons we have assessed this 1306 issue as Moderate severity overall.</p> 1307 <p>The OpenSSL SSL/TLS implementation is not affected by this issue.</p> 1308 <p>The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because 1309 the issue lies outside of the FIPS provider boundary.</p> 1310 <p>OpenSSL 3.1 and 3.0 are vulnerable to this issue.</p> 1311 <h2 id="remediation">Remediation</h2> 1312 <p>Upgrade <code>Alpine:3.18</code> <code>openssl</code> to version 3.1.4-r0 or higher.</p> 1313 <h2 id="references">References</h2> 1314 <ul> 1315 <li><a href="http://www.openwall.com/lists/oss-security/2023/10/24/1">openssl-security@openssl.org</a></li> 1316 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d">openssl-security@openssl.org</a></li> 1317 <li><a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee">openssl-security@openssl.org</a></li> 1318 <li><a href="https://www.debian.org/security/2023/dsa-5532">openssl-security@openssl.org</a></li> 1319 <li><a href="https://www.openssl.org/news/secadv/20231024.txt">openssl-security@openssl.org</a></li> 1320 <li><a href="https://security.netapp.com/advisory/ntap-20231027-0010/">openssl-security@openssl.org</a></li> 1321 </ul> 1322 1323 <hr/> 1324 1325 <div class="cta card__cta"> 1326 <p><a href="https://snyk.io/vuln/SNYK-ALPINE318-OPENSSL-6032386">More about this vulnerability</a></p> 1327 </div> 1328 1329 </div><!-- .card --> 1330 </div><!-- cards --> 1331 </div> 1332 </main><!-- .layout-stacked__content --> 1333 </body> 1334 1335 </html>