You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an otherName subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a reference identifier (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Remediation Steps
Update the affected package openssl-snapsafe-libs from version 1:3.0.8-1.amzn2023.0.14 to 1:3.0.8-1.amzn2023.0.15.
About this issue
This issue may not contain all the information about the CVE nor the images it affects.
This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
CVE Details
MEDIUM
openssl-snapsafe-libs
1:3.0.8-1.amzn2023.0.14
1:3.0.8-1.amzn2023.0.15
2024-09-03T16:15:07.177Z
2024-10-16T10:18:17.557075642Z
Affected Docker Images
public.ecr.aws/lambda/provided:latest
public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/provided:al2023
public.ecr.aws/lambda/provided@sha256:a78429f0c43c54b6fde88a6e49e3b1e14502e65d58133ac8e17fcfe5a74d4f3f
public.ecr.aws/lambda/python:latest
public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/python:3.12
public.ecr.aws/lambda/python@sha256:e0eed1c4a447cfadac34369181090b9d5616d52f385959e08c4e8f942a668a5d
public.ecr.aws/lambda/nodejs:latest
public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/nodejs:20
public.ecr.aws/lambda/nodejs@sha256:d846b18af23fe50dcf2d47af95892a71ac59df71a40b662bfef75a9e78e1cc30
public.ecr.aws/lambda/java:latest
public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/java:21
public.ecr.aws/lambda/java@sha256:0959dc1da644c0e48615fb6729ca7b70b7f374dda131677ca646033a93bc6d2d
public.ecr.aws/lambda/dotnet:latest
public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/dotnet:8
public.ecr.aws/lambda/dotnet@sha256:a6bad2e63b950dce59cc1bd1802211756281c6e975d6c6580ce0a94bb0c4215e
public.ecr.aws/lambda/ruby:latest
public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022
public.ecr.aws/lambda/ruby:3.3
public.ecr.aws/lambda/ruby@sha256:a84fe02daf2dd291c6361f2961820f2db08068504d8e4d95b5d8a6637b93c022
Description
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an
otherName
subject alternative name of anX.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a reference identifier (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Remediation Steps
openssl-snapsafe-libs
from version1:3.0.8-1.amzn2023.0.14
to1:3.0.8-1.amzn2023.0.15
.About this issue
The text was updated successfully, but these errors were encountered: