OSG-SEC-2022-10-25 HIGH libksba integer overflow

Dear OSG Security Contacts,

A vulnerability was found in the libksba library due to an integer overflow within the CRL parser. The vulnerability is outlined in CVE-2022-3515. [1] KSBA (pronounced Kasbah) is a library to make X.509 certificates as well as the CMS (Cryptographic Message Syntax) easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS.

IMPACTED VERSIONS:

All versions of libksba before 1.6.2.

WHAT ARE THE VULNERABILITIES:

The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. [7]

WHAT YOU SHOULD DO:

Update affected systems as patches become available. Fixes are available for RedHat EL7, 8 and 9. All currently supported versions of Ubuntu also have fixes available.

Sites running RHEL should see [1]

Sites running CentOS should also see [1]

Sites running Ubuntu should see [2]

Sites running Scientific Linux should see [3]

Sites running Debian should see [4]

Sites running RockyLinux should see [5]

Sites running Almalinux should see [6]

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2022-3515

[2] https://ubuntu.com/security/CVE-2022-3515

[3] https://www.scientificlinux.org/category/sl-errata/

[4] https://security-tracker.debian.org/tracker

[5] https://errata.rockylinux.org/

[6] https://errata.almalinux.org/

[7] https://bugzilla.redhat.com/show_bug.cgi?id=2135610

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team