Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qODU5LXBtcnEtOXE2Y84AAxgi
bottlerocket dependency openssl has a double free vulnerability
A timing based side channel exists in the OpenSSL RSA decryption implementation which could enable a recovery of plaintext from across the network. This affects all RSA padding modes. A server agent compiled with OpenSSL could be made to give up plaintext payloads over the network, but this would require a large amount of malicious payloads from a third party actor as trial messages. OpenSSL removed in bottlerocket version 1.1.0 in favor of Rust-based TLS using rustls.
Permalink: https://github.com/advisories/GHSA-j859-pmrq-9q6cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qODU5LXBtcnEtOXE2Y84AAxgi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 9 months ago
Identifiers: GHSA-j859-pmrq-9q6c
References:
- https://github.com/bottlerocket-os/bottlerocket-update-operator/security/advisories/GHSA-j859-pmrq-9q6c
- https://github.com/bottlerocket-os/bottlerocket-update-operator/releases/tag/v1.1.0
- https://rustsec.org/advisories/RUSTSEC-2023-0007.html
- https://www.openssl.org/news/secadv/20230207.txt
- https://github.com/advisories/GHSA-j859-pmrq-9q6c
Blast Radius: 1.0
Affected Packages
cargo:bottlerocket/update-operator
Affected Version Ranges: < 1.1.0Fixed in: 1.1.0