CVE-2023-0286
Vulnerable Third-Party Library vulnerability in openssl-src (crates.io)
What is CVE-2023-0286 About?
This vulnerability arises from pyca/cryptography's use of statically linked, vulnerable versions of OpenSSL (0.8.1-39.0.0) in its wheels. Users installing from official PyPI wheels are affected, risking exposure to known OpenSSL security issues. This is a supply chain vulnerability, and its exploitation depends on the specific OpenSSL flaw being targeted.
Affected Software
- openssl-src
- <111.25.0
- >300.0.0, <300.0.12
- >0.0.0-0, <111.25.0
- cryptography
- >0.8.1, <39.0.1
Technical Details
The pyca/cryptography project's Python wheels ship with a statically linked copy of OpenSSL. Versions 0.8.1 through 39.0.0 of cryptography incorporate versions of OpenSSL that have known security vulnerabilities, as detailed in OpenSSL security advisories (e.g., 20221213.txt and 20230207.txt). This means that applications using cryptography by installing its pre-built wheels from PyPI are implicitly using the vulnerable OpenSSL library. Exploitation would target the underlying OpenSSL vulnerabilities, which could include anything from denial of service to remote code execution or information disclosure, depending on the specific flaw in the bundled OpenSSL version. Users building cryptography from source are responsible for their own OpenSSL versions.
What is the Impact of CVE-2023-0286?
Successful exploitation may allow attackers to leverage underlying OpenSSL vulnerabilities, potentially leading to denial of service, information disclosure, or remote code execution, depending on the specific flaw.
What is the Exploitability of CVE-2023-0286?
Exploitation depends entirely on the underlying OpenSSL vulnerabilities bundled with pyca/cryptography. The complexity, authentication, privilege, and access requirements (remote vs. local) will vary based on the specific OpenSSL flaw being targeted. For instance, some OpenSSL vulnerabilities might be remotely exploitable without authentication, while others might require specific network conditions or chained vulnerabilities. This is a supply chain issue where the vulnerability exists in a dependency. The risk is heightened for users who do not regularly update their dependencies or scrutinize their software supply chain, especially those relying on the pre-built cryptography wheels.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-0286?
Available Upgrade Options
- cryptography
- >0.8.1, <39.0.1 → Upgrade to 39.0.1
- openssl-src
- >0.0.0-0, <111.25.0 → Upgrade to 111.25.0
- openssl-src
- >300.0.0, <300.0.12 → Upgrade to 300.0.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.openssl.org/news/secadv/20230207.txt
- https://github.com/pyca/cryptography
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
- https://osv.dev/vulnerability/GHSA-x4qr-2fvf-3mr5
- https://www.openssl.org/news/secadv/20230207.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
- https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
- https://rustsec.org/advisories/RUSTSEC-2023-0006.html
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
- https://rustsec.org/advisories/RUSTSEC-2023-0006.html
What are Similar Vulnerabilities to CVE-2023-0286?
Similar Vulnerabilities: CVE-2020-1967 , CVE-2022-0778 , CVE-2022-1292 , CVE-2022-2068 , CVE-2021-3712
