CVE-2024-0727

一、漏洞信息
漏洞编号：CVE-2024-0727
漏洞归属组件：federated
漏洞归属的版本：1.1.1k
CVSS V3.0分值：
BaseScore：5.5 Medium
Vector：CVSS：3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
漏洞简述：
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSLto crash leading to a potential Denial of Service attackImpact summary: Applications loading files in the PKCS12 format from untrustedsources might terminate abruptly.A file in PKCS12 format can contain certificates and keys and may come from anuntrusted source. The PKCS12 specification allows certain fields to be NULL, butOpenSSL does not correctly check for this case. This can lead to a NULL pointerdereference that results in OpenSSL crashing. If an application processes PKCS12files from an untrusted source using the OpenSSL APIs then that application willbe vulnerable to this issue.OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()and PKCS12_newpass().We have also fixed a similar issue in SMIME_write_PKCS7(). However since thisfunction is related to writing data we do not consider it security significant.The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
漏洞公开时间：2024-01-26 17:15
漏洞创建时间：2024-01-24 09:42:25
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-0727

更多参考(点击展开)

参考来源	参考链接	来源链接
openssl-security.openssl.org	http://www.openwall.com/lists/oss-security/2024/03/11/1
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c
openssl-security.openssl.org	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
openssl-security.openssl.org	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
openssl-security.openssl.org	https://security.netapp.com/advisory/ntap-20240208-0006/
openssl-security.openssl.org	https://www.openssl.org/news/secadv/20240125.txt
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0727	https://bugzilla.suse.com/show_bug.cgi?id=1219243
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2259944	https://bugzilla.suse.com/show_bug.cgi?id=1219243
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2024-0727	https://bugzilla.suse.com/show_bug.cgi?id=1219243
redhat_bugzilla	https://github.com/openssl/openssl/pull/23362	https://bugzilla.redhat.com/show_bug.cgi?id=2259944
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:2447	https://bugzilla.redhat.com/show_bug.cgi?id=2259944
redhat_bugzilla	https://gorillatag.io/	https://bugzilla.redhat.com/show_bug.cgi?id=2259944
debian		https://security-tracker.debian.org/tracker/CVE-2024-0727
oracle		https://www.oracle.com/security-alerts/bulletinapr2024.html
anolis		https://anas.openanolis.cn/cves/detail/CVE-2024-0727
cve_search		https://www.openssl.org/news/secadv/20240125.txt
cve_search		https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
cve_search		https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c
cve_search		https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
cve_search		https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
cve_search		https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
cve_search		https://security.netapp.com/advisory/ntap-20240208-0006/
mageia		http://advisories.mageia.org/MGASA-2024-0020.html
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2024-0727	https://explore.alas.aws.amazon.com/CVE-2024-0727.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727	https://explore.alas.aws.amazon.com/CVE-2024-0727.html
snyk	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/openssl/openssl/pull/23362	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://www.openssl.org/news/secadv/20240125.txt	https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216
snyk	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/openssl/openssl/pull/23362	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://www.openssl.org/news/secadv/20240125.txt	https://security.snyk.io/vuln/SNYK-RUST-OPENSSLSRC-6210215
snyk	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/openssl/openssl/pull/23362	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://www.openssl.org/news/secadv/20240125.txt	https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-6210214
snyk	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://github.com/openssl/openssl/pull/23362	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
snyk	https://www.openssl.org/news/secadv/20240125.txt	https://security.snyk.io/vuln/SNYK-UNMANAGED-OPENSSL-6210213
alpine	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	https://security.alpinelinux.org/vuln/CVE-2024-0727
alpine	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	https://security.alpinelinux.org/vuln/CVE-2024-0727
alpine	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	https://security.alpinelinux.org/vuln/CVE-2024-0727
alpine	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8	https://security.alpinelinux.org/vuln/CVE-2024-0727
alpine	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539	https://security.alpinelinux.org/vuln/CVE-2024-0727
alpine	https://www.openssl.org/news/secadv/20240125.txt	https://security.alpinelinux.org/vuln/CVE-2024-0727
ubuntu	https://www.openssl.org/news/secadv/20240125.txt	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://ubuntu.com/security/notices/USN-6622-1	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://ubuntu.com/security/notices/USN-6632-1	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://ubuntu.com/security/notices/USN-6709-1	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-0727	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-0727	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-0727	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-0727	https://ubuntu.com/security/CVE-2024-0727
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727	https://ubuntu.com/security/CVE-2024-0727
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
openssl-security.openssl.org	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c
openssl-security.openssl.org	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
openssl-security.openssl.org	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
openssl-security.openssl.org	https://www.openssl.org/news/secadv/20240125.txt

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复补丁	来源
	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	openssl-security.openssl.org
	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	openssl-security.openssl.org
	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	openssl-security.openssl.org
	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8	openssl-security.openssl.org
	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539	openssl-security.openssl.org
	https://github.com/openssl/openssl/pull/23362	redhat_bugzilla
	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2	snyk
	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	snyk
	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	snyk
	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	snyk
	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d	snyk
	https://github.com/openssl/openssl/pull/23362	snyk
	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	alpine
	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	alpine
	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	alpine
	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8	alpine
	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539	alpine
	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2	nvd
	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a	nvd
	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c	nvd
	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8	nvd
	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539	nvd
	https://www.openssl.org/news/secadv/20240125.txt	nvd
edk2	https://git.openssl.org/?p=openssl.git;a=commit;h=09df4395b5071217b76dc7d3d2e630eb8c5a79c2	ubuntu
openssl	https://git.openssl.org/?p=openssl.git;a=commit;h=09df4395b5071217b76dc7d3d2e630eb8c5a79c2	ubuntu

二、漏洞分析结构反馈
影响性分析说明：

MindSpore评分：
5.5
Vector：CVSS：3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.master:
2.v0.1.0:
3.v2.0.0:

@bryanbj ,@liuchao ,@huangbingjian ,@dairenjie ,@liyuxia ,@zyli2020 ,@emmmmtang ,@Henry Shi ,@fangzhou0329 ,@shenwei41 ,@jxl ,@chenhaozhe ,@zhanghaibo ,@yanghaoran ,@looop5 ,@kyang ,@chengang ,@mindspore_ding ,@ougongchang ,@zhunaipan ,@herryshi1 ,@Zenzenzense ,@zhaoting ,@徐永飞 ,@yxx ,@ZPaC ,@Greatpan ,@yefeng ,@fangzehua
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, MindSpore评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

MindSpore评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master:
2.v0.1.0:
3.v2.0.0:

issue处理具体操作请参考:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

同 https://e.gitee.com/mind_spore/dashboard?issue=I8YF4M

@188******92 请确认分支: master,v0.1.0,v2.0.0 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

MindSpore / federated

内容风险标识

评论 (3)

MindSpore / federated .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-0727

评论 (3)

搜索帮助

MindSpore / federated