CVEs and the FIPS provider

After the release of OpenSSL 3.0.0, several CVEs have been identified and resolved. While the majority of these vulnerabilities are unrelated to the validated FIPS providers, a few of them are applicable. This table lists all of the CVEs issued since the FIPS providers’ releases and their relevance to it:

CVE ID Fixed FIPS? Notes
CVE-2024-6119 3.0.15
3.1.7
3.2.3
3.3.2
no
CVE-2024-5535 3.0.15
3.1.7
3.2.3
3.3.2
no
CVE-2024-4741 3.0.14
3.1.6
3.2.2
3.3.1
no
CVE-2024-4603 3.0.14
3.1.6
3.2.2
3.3.1
yes EVP_PKEY_public_check() can take a long time.
Workaround: First check the value returned by
EVP_PKEY_get_bits() and reject too large keys.
CVE-2024-2511 3.0.14
3.1.6
3.2.2
no
CVE-2024-0727 3.0.13
3.1.5
3.2.1
no
CVE-2023-6237 3.0.13
3.1.5
3.2.1
yes EVP_PKEY_public_check() can take a long time.
Workaround: First check the value returned by
EVP_PKEY_get_bits() and reject too large keys.
CVE-2023-6129 3.0.13
3.1.5
3.2.1
no
CVE-2023-5678 3.0.13
3.1.5
no
CVE-2023-5363 3.0.12
3.1.4
no
CVE-2023-4807 3.0.11
3.1.3
no
CVE-2023-3817 3.0.10
3.1.2
no
CVE-2023-3446 3.0.10
3.1.2
no
CVE-2023-2975 3.0.10
3.1.2
no
Release of 3.0.9 FIPS provider
CVE-2023-2650 3.0.9
3.1.1
no
CVE-2023-1255 3.0.9
3.1.1
yes Possible denial of service on Arm 64 (aarch64) using AES XTS mode
CVE-2023-0466 3.0.9
3.1.1
no
CVE-2023-0465 3.0.9
3.1.1
no
CVE-2023-0464 3.0.9
3.1.1
no
Release of 3.0.8 FIPS provider
CVE-2023-0401 3.0.8 no
CVE-2023-0286 3.0.8 no
CVE-2023-0217 3.0.8 yes DSA public key checks (but not from TLS)
CVE-2023-0216 3.0.8 no
CVE-2023-0215 3.0.8 no
CVE-2022-4450 3.0.8 no
CVE-2022-4304 3.0.8 yes Timing side channel in RSA
CVE-2022-4203 3.0.8 no
CVE-2022-3996 3.0.8 no
CVE-2022-3786 3.0.7 no
CVE-2022-3602 3.0.7 no
CVE-2022-3358 3.0.6 no
CVE-2022-2274 3.0.5 no Bug introduced in 3.0.4 which isn’t validated
CVE-2022-2097 3.0.5 no Architecture (x86) is not part of validation
CVE-2022-2068 3.0.4 no
CVE-2022-1473 3.0.3 no
CVE-2022-1434 3.0.3 no
CVE-2022-1343 3.0.3 no
CVE-2022-1292 3.0.3 no
CVE-2022-0778 3.0.2 maybe Difficult to encounter inside FIPS boundary
CVE-2021-4160 3.0.1 no Architecture (MIPS) is not part of validation
CVE-2021-4044 3.0.1 no
Release of 3.0.0 FIPS provider