This security announcement details three OpenSSL CVEs:
Oxide software embeds the OpenSSL libraries for use in TLS processing and related cryptographic processing. We do not believe that these vulnerabilities impact Oxide software. The next software release will contain an update to OpenSSL.
| Revision | Date (YYYYMMDD) | Changes |
|---|---|---|
1.0 | 20230808 | Initial Release |
Impacted Products
Oxide Software Release v1.0.1. While the Oxide CLI embeds OpenSSL, it does not currently utilize affected functionality.
Impact
CVE’s 2023-3817 and 2023-3466 relate to similar paths where by
validating Diffie-Helman keys through OpenSSL’s DH_check() function
could lead to extended processing time. This could manifest as a denial
of service. CVE 2023-2975 relates to issues with the AES-SIV algorithm
that could allow empty data not to be properly authenticated. AES-SIV is
not currently used in Oxide products.
Action Required
Please ensure to update to the next regularly scheduled Oxide release.
For guest virtual machines, please check with your OS provider to ensure that the latest version of OpenSSL (3.1.2, 3.0.10, 1.1.1v, 1.02zi) is installed.
Mitigations
There are no mitigations available at this time for this.
Technical Background
For full details, please see the related OpenSSL write ups in the Additional Information section.