Alpine: libcrypto1.1, multiple openssl1.1-compat packages: security update to 1.1.1-r0 (deprecated)

high Tenable Cloud Security Plugin ID 400059

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A security vulnerability has been identified in all supported versions of OpenSSL related to the
verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that triggers exponential use of
computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy
processing is disabled by default but can be enabled by passing the `-policy' argument to the command line
utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

See Also

https://git.alpinelinux.org/aports/commit/?id=2a0d9a316b416eb451010a314346cebe3fd2d004

https://git.alpinelinux.org/aports/commit/?id=7b6019ce84020206c96a69e690daab15c39d8f8d

Plugin Details

Severity: High

ID: 400059

Version: Revision 1.45

Type: Local

Published: 3/22/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.65

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-0464

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/22/2023

Vulnerability Publication Date: 3/22/2023

Reference Information

CVE: CVE-2023-0464