Alpine: libcrypto3, multiple openssl packages: security update to 1.0.0-r0 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 401303

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows
remote attackers to have an unspecified impact by triggering failure of a policy check. (CVE-2011-4109)

- The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if
certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding
oracle attack. (CVE-2011-4108)

- The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize
data structures for block cipher padding, which might allow remote attackers to obtain sensitive
information by decrypting the padding data sent by an SSL peer. (CVE-2011-4576)

- OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to
cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension
data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. (CVE-2011-4577)

See Also

https://git.alpinelinux.org/aports/commit/?id=f991495d95edca20329870f76896142ea208d7a9

https://git.alpinelinux.org/aports/commit/?id=faa91bd53e15a32ec45bff73fe53148fa8a84d21

Plugin Details

Severity: Critical

ID: 401303

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2011-4109

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/5/2012

Vulnerability Publication Date: 1/4/2012

Reference Information

CVE: CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027

BID: 51281

IAVA: 2012-A-0009-S