-
Notifications
You must be signed in to change notification settings - Fork 345
Third Party Security Advisories
Not a problem for EDK2. GF(2^M) Curves (EC2M) are not enabled in EDK2 CryptoPkg.
Impacts EDK2 TlsLib. The issue is only applicable to OpenSSL 3.* branches. Recommend moving to OpenSSL 3.0.15.
The issue does not impact OpenSSL 1.1.1 branch.
Not a problem for EDK2. EDK2 does not call the SSL_select_next_proto function.
Not a problem for EDK2. EDK2 does not directly call the SSL_free_buffers function.
Not a problem for EDK2. EDK2 does not support DSA.
Not a problem for EDK2. This CVE only affects TLS servers supporting TLSv1.3. EDK2 does not support TLS server configurations. EDK2 does not support TLSv1.3.
Not a problem for EDK2. EDK2 CryptoPkg does not use the PKCS12 implementation or the SMIME_write_PKCS7() function.
No impact. The EDK2 CryptoPkg does not use the OpenSSL function EVP_PKEY_public_check().
No impact. The OpenSSL POLY1305 implementation is disabled by default in the EDK2 CryptoPkg configuration.
No impact. The affected DH params are not used by EDK2. EDK2 does not call any DH_check* related functions.
No impact. The affected functions that change the key and IV lengths are not called by EDK2 CryptoPkg.
No impact. The OpenSSL POLY1305 implementation is disabled by default in the CryptoPkg configuration.
No impact. DH code is used in CryptDh.c and TlsLib. In CryptoDh.c, EDK2 does not use DH_check() related functions and existing functions will not call into DH_check(). The TlsLib implementation is not affected by this issue.
No impact. The DH code of EDK2 does not call the DH_check() and related functions, or have the risk of using “p” parameters that are too large.
No impact. The OpenSSL AES-SIV cipher implementation is disabled by default in the CryptoPkg configuration.
- OpenSSL 1.1.1u, updated in the edk2-stable202308 stable tag
No Impact
EDK2 does not use the OpenSSL function X509_VERIFY_PARAM_add0_policy().
No Impact
According to the CVE description, ‘policy’ processing is disabled by default.
For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)
In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)
For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)
No Impact
According to the CVE description, ‘policy’ processing is disabled by default.
For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)
In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)
For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)
No impact to EDK2 updating will resolve CVE
- OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag
- OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag
- OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag
- OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag
EDK2 does not enable AES OCB mode or use the 32-bit AES-NI assembly optimizations.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
EDK2 never calls the c_rehash.in script in normal build process.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
EDK2 never calls the c_rehash.in script in normal build process.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
EDK2 does not use the BN_mod_sqrt() function.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
The issue only affects MIPS platforms, and we don’t have MIPS in EDK2.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
Analysis has confirmed that the relevant OpenSSL string operations have been used correctly and safely in EDK2.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
The SM2 algorithm is not supported by EDK2.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
X509_V_FLAG_X509_STRICT is never set by edk2.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
Edk2 TLS supports client mode only. This issue only exists in server mode.
Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:
- OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
- OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag
Home
Getting Started with EDK II
Build Instructions
EDK II Platforms
EDK II Documents
EDK II Release Planning
Reporting Issues
Reporting Security Issues
Community Information
Inclusive Language
Additional Projects & Tasks
Training
Community Support
Community Virtual Meetings
GHSA GitHub Security Advisories Proceess (Draft)