Wind River Support Network

HomeSafety and Security NoticesWind River Security Vulnerability Notice: CVE-2023-0286

Recommended

Wind River Security Vulnerability Notice: CVE-2023-0286

Released: Feb 8, 2023 Updated: Feb 7, 2023

Summary

Wind River Security Vulnerability Notice: CVE-2023-0286 of openssl

Affected Product Versions

Wind River Linux LTS 18, Wind River Linux LTS 17, Wind River Linux 9, Wind River Linux 8, Wind River Linux Distro LTS 22, Wind River Linux LTS 22, Wind River Linux Distro LTS 21, Wind River Linux Distro CD, Wind River Linux LTS 21, Wind River Linux LTS 19, Wind River Linux CD

Downloads

Hotpatch for CVE-2023-0286 on WRLinux CD (vWRLINUX_CI_10.23.01.0, vWRLINUX_CI_10.23.05.0)

Description

New released openssl fixed a "High" severity issue. OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

CVE-2023-0286: X.400 address type confusion in X.509 GeneralName

What software is known to be affected by this CVE?

OpenSSL versions 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Is Wind River Linux affected by this CVE issue?

All WRLinux releases are affected by this issue.

Affected software components:

openssl

Affected hardware:

This is a pure software issue.

Mitigation

Wind River will continue to monitor the various Open Source projects and will incorporate fixes as appropriate to supported products.

Upstream mitigation as below:

Master: https://github.com/openssl/openssl/commit/7880536fe17c2b5450e279155bedd51771d28c9f

3.1: https://github.com/openssl/openssl/commit/84d85fcabd6d8f3740ad015bda329512630799df

3.0: https://github.com/openssl/openssl/commit/2f7530077e0ef79d98718138716bc51ca0cad658

1_1_1-stable: https://github.com/openssl/openssl/commit/2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9

Additional References

https://www.openssl.org/news/secadv/20230207.txt

Changelog

2/8/2023: Initial