CVEs and the FIPS provider
After the release of OpenSSL 3.0.0, several CVEs have been identified and resolved. While the majority of these vulnerabilities are unrelated to the validated FIPS providers, a few of them are applicable. This table lists all of the CVEs issued since the FIPS providers’ releases and their relevance to it:
| CVE ID | Fixed | FIPS? | Notes |
|---|---|---|---|
| CVE-2024-6119 | 3.0.15 3.1.7 3.2.3 3.3.2 |
no | |
| CVE-2024-5535 | 3.0.15 3.1.7 3.2.3 3.3.2 |
no | |
| CVE-2024-4741 | 3.0.14 3.1.6 3.2.2 3.3.1 |
no | |
| CVE-2024-4603 | 3.0.14 3.1.6 3.2.2 3.3.1 |
yes | EVP_PKEY_public_check() can take a long time. Workaround: First check the value returned by EVP_PKEY_get_bits() and reject too large keys. |
| CVE-2024-2511 | 3.0.14 3.1.6 3.2.2 |
no | |
| CVE-2024-0727 | 3.0.13 3.1.5 3.2.1 |
no | |
| CVE-2023-6237 | 3.0.13 3.1.5 3.2.1 |
yes | EVP_PKEY_public_check() can take a long time. Workaround: First check the value returned by EVP_PKEY_get_bits() and reject too large keys. |
| CVE-2023-6129 | 3.0.13 3.1.5 3.2.1 |
no | |
| CVE-2023-5678 | 3.0.13 3.1.5 |
no | |
| CVE-2023-5363 | 3.0.12 3.1.4 |
no | |
| CVE-2023-4807 | 3.0.11 3.1.3 |
no | |
| CVE-2023-3817 | 3.0.10 3.1.2 |
no | |
| CVE-2023-3446 | 3.0.10 3.1.2 |
no | |
| CVE-2023-2975 | 3.0.10 3.1.2 |
no | |
| Release of 3.0.9 FIPS provider | |||
| CVE-2023-2650 | 3.0.9 3.1.1 |
no | |
| CVE-2023-1255 | 3.0.9 3.1.1 |
yes | Possible denial of service on Arm 64 (aarch64) using AES XTS mode |
| CVE-2023-0466 | 3.0.9 3.1.1 |
no | |
| CVE-2023-0465 | 3.0.9 3.1.1 |
no | |
| CVE-2023-0464 | 3.0.9 3.1.1 |
no | |
| Release of 3.0.8 FIPS provider | |||
| CVE-2023-0401 | 3.0.8 | no | |
| CVE-2023-0286 | 3.0.8 | no | |
| CVE-2023-0217 | 3.0.8 | yes | DSA public key checks (but not from TLS) |
| CVE-2023-0216 | 3.0.8 | no | |
| CVE-2023-0215 | 3.0.8 | no | |
| CVE-2022-4450 | 3.0.8 | no | |
| CVE-2022-4304 | 3.0.8 | yes | Timing side channel in RSA |
| CVE-2022-4203 | 3.0.8 | no | |
| CVE-2022-3996 | 3.0.8 | no | |
| CVE-2022-3786 | 3.0.7 | no | |
| CVE-2022-3602 | 3.0.7 | no | |
| CVE-2022-3358 | 3.0.6 | no | |
| CVE-2022-2274 | 3.0.5 | no | Bug introduced in 3.0.4 which isn’t validated |
| CVE-2022-2097 | 3.0.5 | no | Architecture (x86) is not part of validation |
| CVE-2022-2068 | 3.0.4 | no | |
| CVE-2022-1473 | 3.0.3 | no | |
| CVE-2022-1434 | 3.0.3 | no | |
| CVE-2022-1343 | 3.0.3 | no | |
| CVE-2022-1292 | 3.0.3 | no | |
| CVE-2022-0778 | 3.0.2 | maybe | Difficult to encounter inside FIPS boundary |
| CVE-2021-4160 | 3.0.1 | no | Architecture (MIPS) is not part of validation |
| CVE-2021-4044 | 3.0.1 | no | |
| Release of 3.0.0 FIPS provider |