CVE-2023-0286: 
Java vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2023-0286) was discovered in OpenSSL's X.400 address processing within X.509 GeneralName. The vulnerability was reported on January 11, 2023, and affects OpenSSL versions 3.0, 1.1.1, and 1.0.2. The issue stems from X.400 addresses being parsed as an ASN1STRING while the public structure definition for GENERALNAME incorrectly specified the type of the x400Address field as ASN1_TYPE (OpenSSL Advisory).

The vulnerability occurs when CRL checking is enabled (via X509VFLAGCRLCHECK flag). The technical issue arises from a mismatch between how X.400 addresses are parsed (as ASN1STRING) and how they are interpreted by the GENERALNAMEcmp function (as ASN1TYPE). This type confusion allows attackers to pass arbitrary pointers to a memcmp call. The vulnerability has been assigned a CVSS score of 7.4 (High), with attack vector being Network and attack complexity being High (Ubuntu CVE).

When exploited, this vulnerability can enable attackers to read memory contents or cause a denial of service. The impact is particularly significant for applications that have implemented their own functionality for retrieving CRLs over a network. The vulnerability requires the attacker to provide both the certificate chain and CRL, though neither needs to have a valid signature (OpenSSL Advisory).

OpenSSL has released patches for all affected versions. Users should upgrade to OpenSSL 3.0.8 (for 3.0 users), OpenSSL 1.1.1t (for 1.1.1 users), or OpenSSL 1.0.2zg (for premium support customers only). The fix involves changing the public header file definition of GENERAL_NAME so that x400Address reflects the correct implementation. While this change modifies the type of the x400Address field, there is no ABI change (OpenSSL Advisory).