SB2017042710 - Improper Certificate Validation in libressl (Alpine package)
Published: April 27, 2017
Security Bulletin ID
SB2017042710
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2017-8301)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper TLS certificate validation in the SSL_get_verify_result() function in LibreSSL. A remote attacker can bypass certificate validation process and perform MitM attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5e963ab0d5002a2646d9ef26ba30b81d924f00de
- https://git.alpinelinux.org/aports/commit/?id=61ed183084f3ab8c122bd6bce5b98e550ef6a7be
- https://git.alpinelinux.org/aports/commit/?id=900ea77e7a09bb9f78e5e10f128bd264be5b50a7
- https://git.alpinelinux.org/aports/commit/?id=08ab682249a645c4dc445a8400f60b73fc259d36
- https://git.alpinelinux.org/aports/commit/?id=5db940af6587abdb7e3ca4d226ed0fec79773a88
- https://git.alpinelinux.org/aports/commit/?id=6f2652eb1a793606f009e0af18793dc24bba890b
- https://git.alpinelinux.org/aports/commit/?id=287ed5e40db2291cbb8bb3e22792e4ae3a027d4c
- https://git.alpinelinux.org/aports/commit/?id=500f378f52a862e91c61de633df00197d4afd366