Unrated severityNVD Advisory· Published Mar 22, 2023· Updated May 5, 2025
Excessive Resource Usage Verifying X.509 Policy Constraints
CVE-2023-0464
Description
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
119all supported versions+ 1 more
- (no CPE)range: all supported versions
- (no CPE)range: 3.1.0
- osv-coords117 versionspkg:apk/chainguard/libcrypto3pkg:apk/chainguard/libssl3pkg:apk/chainguard/opensslpkg:apk/chainguard/openssl-configpkg:apk/chainguard/openssl-dbgpkg:apk/chainguard/openssl-devpkg:apk/chainguard/openssl-docpkg:apk/chainguard/openssl-engine-afalgpkg:apk/chainguard/openssl-engine-capipkg:apk/chainguard/openssl-engine-loader-atticpkg:apk/chainguard/openssl-engine-padlockpkg:apk/chainguard/openssl-provider-fipspkg:apk/chainguard/openssl-provider-legacypkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/chainguard/ruby-3.2pkg:apk/chainguard/ruby-3.2-basepkg:apk/chainguard/ruby-3.2-base-devpkg:apk/chainguard/ruby-3.2-devpkg:apk/chainguard/ruby-3.2-docpkg:apk/wolfi/libcrypto3pkg:apk/wolfi/libssl3pkg:apk/wolfi/opensslpkg:apk/wolfi/openssl-configpkg:apk/wolfi/openssl-dbgpkg:apk/wolfi/openssl-devpkg:apk/wolfi/openssl-docpkg:apk/wolfi/openssl-engine-afalgpkg:apk/wolfi/openssl-engine-capipkg:apk/wolfi/openssl-engine-loader-atticpkg:apk/wolfi/openssl-engine-padlockpkg:apk/wolfi/openssl-provider-legacypkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:apk/wolfi/ruby-3.2pkg:apk/wolfi/ruby-3.2-basepkg:apk/wolfi/ruby-3.2-base-devpkg:apk/wolfi/ruby-3.2-devpkg:apk/wolfi/ruby-3.2-docpkg:rpm/almalinux/opensslpkg:rpm/almalinux/openssl-develpkg:rpm/almalinux/openssl-libspkg:rpm/almalinux/openssl-perlpkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-1_0_0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openssl-3&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/openssl-3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-pymssql&distro=openSUSE%20Tumbleweedpkg:rpm/suse/compat-openssl098&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2012pkg:rpm/suse/compat-openssl098&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/compat-openssl098&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP4pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openssl-1_0_0&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openssl-1_1&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/openssl-1_1&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/openssl-1_1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/openssl-1_1&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/openssl-1_1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openssl-1_1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4%20LTSS%20EXTREME%20COREpkg:rpm/suse/openssl-3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/openssl&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4%20LTSS%20EXTREME%20COREpkg:rpm/suse/openssl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL
< 3.1.0-r1+ 116 more
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.0.9-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 3.1.0-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1:3.0.7-16.el9_2
- (no CPE)range: < 1:3.0.7-16.el9_2
- (no CPE)range: < 1:3.0.7-16.el9_2
- (no CPE)range: < 1:3.0.7-16.el9_2
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2u-14.1
- (no CPE)range: < 1.1.1l-150400.7.31.2
- (no CPE)range: < 1.1.1l-150400.7.31.2
- (no CPE)range: < 1.1.1t-2.1
- (no CPE)range: < 3.0.1-150400.4.20.1
- (no CPE)range: < 3.1.1-1.1
- (no CPE)range: < 2.3.12-1.1
- (no CPE)range: < 0.9.8j-106.45.1
- (no CPE)range: < 0.9.8j-106.45.1
- (no CPE)range: < 0.9.8j-106.45.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-150000.3.70.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.0.2p-3.69.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.0i-150100.14.45.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1l-150400.7.31.2
- (no CPE)range: < 1.1.1l-150400.7.31.2
- (no CPE)range: < 1.1.1l-150400.7.31.2
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.0i-150100.14.45.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.0i-150100.14.45.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-150200.11.62.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.1.1d-2.78.1
- (no CPE)range: < 1.0.1g-0.58.59.1
- (no CPE)range: < 3.0.1-150400.4.20.1
- (no CPE)range: < 0.9.8j-0.106.63.1
- (no CPE)range: < 1.0.2j-60.89.1
Patches
Vulnerability mechanics
References
10- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- git.openssl.org/gitweb/mitrepatch
- www.openssl.org/news/secadv/20230322.txtmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/06/msg00011.htmlmitre
- security.gentoo.org/glsa/202402-08mitre
- security.netapp.com/advisory/ntap-20240621-0006/mitre
- www.couchbase.com/alerts/mitre
- www.debian.org/security/2023/dsa-5417mitre
News mentions
0No linked articles in our index yet.