Detections
Analytics

Amazon Linux 2023 : openssl, openssl-devel, openssl-fips-provider-latest (ALAS2023-2025-1225)

medium Nessus Plugin ID 270526

Language:

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1225 advisory.

 Issue summary: An application trying to decrypt CMS messages encrypted usingpassword based encryption can trigger an out-of-bounds read and write.

 Impact summary: This out-of-bounds read may trigger a crash which leads toDenial of Service for an application. The out-of-bounds write can causea memory corruption which can have various consequences includinga Denial of Service or Execution of attacker-supplied code.

 Although the consequences of a successful exploit of this vulnerabilitycould be severe, the probability that the attacker would be able toperform it is low. Besides, password based (PWRI) encryption support in CMSmessages is very rarely used. For that reason the issue was assessed asModerate severity according to our Security Policy.

 The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by thisissue, as the CMS implementation is outside the OpenSSL FIPS moduleboundary. (CVE-2025-9230)

 Issue summary: A timing side-channel which could potentially allow remoterecovery of the private key exists in the SM2 algorithm implementation on 64 bitARM platforms.

 Impact summary: A timing side-channel in SM2 signature computations on 64 bitARM platforms could allow recovering the private key by an attacker..

 While remote key recovery over a network was not attempted by the reporter,timing measurements revealed a timing signal which may allow such an attack.

 OpenSSL does not directly support certificates with SM2 keys in TLS, and sothis CVE is not relevant in most TLS contexts. However, given that it ispossible to add support for such certificates via a custom provider, coupledwith the fact that in such a custom provider context the private key may berecoverable via remote timing measurements, we consider this to be a Moderateseverity issue.

 The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by thisissue, as SM2 is not an approved algorithm. (CVE-2025-9231)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update openssl --releasever 2023.9.20251014' or or 'dnf update --advisory ALAS2023-2025-1225 --releasever 2023.9.20251014' to update your system.

See Also

https://alas.aws.amazon.com//AL2023/ALAS2023-2025-1225.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2025-9230.html

https://explore.alas.aws.amazon.com/CVE-2025-9231.html

Plugin Details

Severity: Medium

ID: 270526

File Name: al2023_ALAS2023-2025-1225.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/15/2025

Updated: 10/15/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-9230

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2025-9231

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:openssl-debugsource, p-cpe:/a:amazon:linux:openssl-libs-debuginfo, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:openssl-fips-provider-latest, p-cpe:/a:amazon:linux:openssl-fips-provider-latest-debuginfo, p-cpe:/a:amazon:linux:openssl-debuginfo, p-cpe:/a:amazon:linux:openssl-perl, p-cpe:/a:amazon:linux:openssl-snapsafe-libs-debuginfo, p-cpe:/a:amazon:linux:openssl-snapsafe-libs, p-cpe:/a:amazon:linux:openssl-libs, p-cpe:/a:amazon:linux:openssl-devel, p-cpe:/a:amazon:linux:openssl

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/14/2025

Vulnerability Publication Date: 4/9/2024

Reference Information

CVE: CVE-2025-9230, CVE-2025-9231

IAVA: 2025-A-0716