Third Party Security Advisories - mikebeaton/tianocore.github.io GitHub Wiki

CVE-2024-5535 - OpenSSL

Published: 6/27/2024

Recommendation:

Not a problem for EDK2. EDK2 does not call the SSL_select_next_proto function.

CVE-2024-4741 - OpenSSL

Published: 5/28/2024

Recommendation:

Not a problem for EDK2. EDK2 does not directly call the SSL_free_buffers function.

CVE-2024-4603 - OpenSSL

Published: 5/16/2024

Recommendation:

Not a problem for EDK2. EDK2 does not support DSA.

CVE-2024-2511 - OpenSSL

Published: 4/08/2024

Recommendation:

Not a problem for EDK2. This CVE only affects TLS servers supporting TLSv1.3. EDK2 does not support TLS server configurations. EDK2 does not support TLSv1.3.

CVE-2024-0727 - OpenSSL

Published: 1/25/2024

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not use the PKCS12 implementation or the SMIME_write_PKCS7() function.

CVE-2023-6237 - OpenSSL

Published: 1/15/2024

Recommendation:

No impact. The EDK2 CryptoPkg does not use the OpenSSL function EVP_PKEY_public_check().

CVE-2023-6129 - OpenSSL

Published: 1/09/2024

Recommendation:

No impact. The OpenSSL POLY1305 implementation is disabled by default in the EDK2 CryptoPkg configuration.

CVE-2023-5678 - OpenSSL

Published: 11/06/2023

Recommendation:

No impact. The affected DH params are not used by EDK2. EDK2 does not call any DH_check* related functions.

CVE-2023-5363 - OpenSSL

Published: 10/25/2023

Recommendation:

No impact. The affected functions that change the key and IV lengths are not called by EDK2 CryptoPkg.

CVE-2023-4807 - OpenSSL

Published: 09/08/2023

Recommendation:

No impact. The OpenSSL POLY1305 implementation is disabled by default in the CryptoPkg configuration.

CVE-2023-3817 - OpenSSL

Published: 07/31/2023

Recommendation:

No impact. DH code is used in CryptDh.c and TlsLib. In CryptoDh.c, EDK2 does not use DH_check() related functions and existing functions will not call into DH_check(). The TlsLib implementation is not affected by this issue.

CVE-2023-3446 - OpenSSL

Published: 07/19/2023

Recommendation:

No impact. The DH code of EDK2 does not call the DH_check() and related functions, or have the risk of using “p” parameters that are too large.

CVE-2023-2975 - OpenSSL

Published: 07/14/2023

Recommendation:

No impact. The OpenSSL AES-SIV cipher implementation is disabled by default in the CryptoPkg configuration.

CVE-2023-2650 - OpenSSL

Published: 05/30/2023

Recommendation:

  • OpenSSL 1.1.1u, updated in the edk2-stable202308 stable tag

CVE-2023-0466 - OpenSSL

Published: 03/28/2023

Recommendation:

No Impact

EDK2 does not use the OpenSSL function X509_VERIFY_PARAM_add0_policy().

CVE-2023-0465 - OpenSSL

Published: 03/28/2023

Recommendation:

No Impact

According to the CVE description, ‘policy’ processing is disabled by default.

For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)

In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)

For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)

CVE-2023-0464 - OpenSSL

Published: 03/22/2023

Recommendation:

No Impact

According to the CVE description, ‘policy’ processing is disabled by default.

For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)

In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)

For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)

CVE-2023-0286 - OpenSSL

Published: 02/08/2023

Recommendation:

No impact to EDK2 updating will resolve CVE

  • OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2023-0215 - OpenSSL

Published: 02/08/2023

Recommendation:

  • OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2022-4450 - OpenSSL

Published: 02/08/2023

Recommendation:

  • OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2022-4304 - OpenSSL

Published: 02/08/2023

Recommendation:

  • OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2022-2097 - OpenSSL

Published: 07/05/2022

Recommendation:

EDK2 does not enable AES OCB mode or use the 32-bit AES-NI assembly optimizations.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2022-2068 - OpenSSL

Published: 06/21/2022

Recommendation:

EDK2 never calls the c_rehash.in script in normal build process.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2022-1292 - OpenSSL

Published: 05/03/2022

Recommendation:

EDK2 never calls the c_rehash.in script in normal build process.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2022-0778 - OpenSSL

Published: 03/15/2022

Recommendation:

EDK2 does not use the BN_mod_sqrt() function.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2021-4160 - OpenSSL

Published: 01/28/2022

Recommendation:

The issue only affects MIPS platforms, and we don’t have MIPS in EDK2.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2021-3712 - OpenSSL

Published: 08/24/2021

Recommendation:

Analysis has confirmed that the relevant OpenSSL string operations have been used correctly and safely in EDK2.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2021-3711 - OpenSSL

Published: 08/24/2021

Recommendation:

The SM2 algorithm is not supported by EDK2.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2021-3450 - OpenSSL

Published: 03/25/2021

Recommendation:

X509_V_FLAG_X509_STRICT is never set by edk2.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag

CVE-2021-3449 - OpenSSL

Published: 03/25/2021

Recommendation:

Edk2 TLS supports client mode only. This issue only exists in server mode.

Until further notice, the following versions of OpenSSL are appropriate to use within the EDK2 CryptoPkg:

  • OpenSSL 1.1.1j, updated in the edk2-stable202105 stable tag
  • OpenSSL 1.1.1n, updated in the edk2-stable202205 stable tag