Fluid Attacks Database

Description

bottlerocket dependency openssl is vulnerable to read buffer overflow via X.509 verification A read buffer overflow can be triggered in OpenSSL X.509 verification during name constraint checking. Note that this occurs after the certificate chain has been verified and would require a compromised CA. This can cause a client or agent compiled with OpenSSL to crash unexpectedly. OpenSSL has been removed in bottlerocket/update-operator version 1.1.0 in favor of Rust-based TLS using rustls.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
cargo	bottlerocket/update-operator	>=0 <1.1.0	1.1.0

Aliases

1. OSV-GHSA-pj34-fpw3-83qj2. GHSA-pj34-fpw3-83qj3. GCVE-GHSA-pj34-fpw3-83qj

References

1. https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories/GHSA-pj34-fpw3-83qj2. https://github.com/bottlerocket-os/bottlerocket-update-operator/releases/tag/v1.1.03. https://www.openssl.org/news/secadv/20230207.txt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.