CVE-2023-0464: 
VirtualBox vulnerability analysis and mitigation

A security vulnerability (CVE-2023-0464) was identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. The vulnerability was discovered by David Benjamin (Google) and reported on January 12, 2023. The issue affects OpenSSL versions 3.1, 3.0, 1.1.1, and 1.0.2 (OpenSSL Advisory).

The vulnerability allows attackers to create a malicious certificate chain that triggers exponential use of computational resources, potentially leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the '-policy' argument to the command line utilities or by calling the 'X509VERIFYPARAMset1policies()' function. The issue has been assigned a CVSS score of 5.3 (Medium) (NVD).

When successfully exploited, this vulnerability can lead to a denial-of-service (DoS) condition through excessive resource consumption. The impact is particularly relevant for systems that have policy processing enabled and process X.509 certificate chains (OpenSSL Advisory).

Due to the low severity of this issue, OpenSSL did not immediately issue new releases. The fix was included in subsequent releases: OpenSSL 3.1.1, 3.0.9, 1.1.1u, and 1.0.2zh (premium support customers only). The fixes are also available in specific commits for different versions in the OpenSSL git repository (OpenSSL Advisory, Debian Advisory).