{
  "threat_severity" : "Moderate",
  "public_date" : "2023-03-28T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: Certificate policy check not enabled",
    "id" : "2182565",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2182565"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "details" : [ "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", "A flaw was found in OpenSSL. The X509_VERIFY_PARAM_add0_policy() function is documented to enable the certificate policy check when doing certificate verification implicitly. However, implementing the function does not enable the check, allowing certificates with invalid or incorrect policies to pass the certificate verification. Suddenly enabling the policy check could break existing deployments, so it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. The applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications." ],
  "statement" : "This vulnerability is rated as moderate because OpenSSL's X509_VERIFY_PARAM_add0_policy() function does not properly enable certificate policy checks as documented. As a result, certificates with invalid or incorrect policies may pass verification, it could lead to policy enforcement issues in applications that rely on this function without explicitly enabling policy checks.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7625",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-16.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7625",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.1.1k-16.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3722",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.7-16.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-21T00:00:00Z",
    "advisory" : "RHSA-2023:3722",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "openssl-1:3.0.7-16.el9_2"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7623",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7",
    "package" : "openssl"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7622",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7",
    "package" : "jws5-tomcat-native-0:1.2.31-16.redhat_16.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7622",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8",
    "package" : "jws5-tomcat-native-0:1.2.31-16.redhat_16.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7622",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9",
    "package" : "jws5-tomcat-native-0:1.2.31-16.redhat_16.el9jws"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7626",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "openssl"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "ovmf",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "compat-openssl10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "edk2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "compat-openssl11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "edk2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "shim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-0466\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0466\nhttps://www.openssl.org/news/secadv/20230328.txt" ],
  "name" : "CVE-2023-0466",
  "csaw" : false
}