Re: [edk2-devel] Reg: OpenSSL_3.5.0 & MbedTls_3.6.3 upgrade

["Prarthana Sagar V via groups.io" <prarthanasv=ami.com@groups.io>]

[-- Attachment #1: Type: text/plain, Size: 5186 bytes --]

May we know how do EDK2 plans to fix the below CVEs in MbedTLS, if it's difficult to update to next version?

mbed TLS-3.3.0 CVE ID Affected Status Notes Document Link CVE-2024-45159 affected Consumes the affected version. Affected versions are Mbed TLS 3.2.0 to 3.6.0 Limited authentication bypass in TLS 1.3 optional client authentication ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-3/ ) CVE-2024-45199 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2022-46393 Not affected An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. CVE-2021-44732 Affected All versions of Mbed TLS getting affected Double Free in mbedtls_ssl_set_session() in an error case. — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2021-12/ ) CVE-2019-14697 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2022-35409 Not affected Not consume the affected version. Affected versions are Mbed TLS 2.28.0 to 3.1.0 Buffer overread in DTLS ClientHello parsing — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2022-07/ ) CVE-2024-23744 Not sure it getting affected or not ( *As of my understanding this CVE is not affected* ) In Nist website, they mentioned issue was discovered in Mbed TLS 3.5.1. https://github.com/Mbed-TLS/mbedtls/issues/8694 ( https://github.com/Mbed-TLS/mbedtls/issues/8694 ) CVE-2024-23775 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to 3.5.1 Buffer overflow in mbedtls_x509_set_extension() ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ ) CVE-2023-43615 affected All versions of Mbed TLS getting affected Buffer overread in TLS stream cipher suites — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ ) CVE-2023-52353 yes affected Already fixed in CryptoPkg_57 CVE-2021-43666 Not sure it getting affected or not This CVE is exits in 3.0.0. not sure about it affects 3.3.0 version also https://github.com/Mbed-TLS/mbedtls/pull/5155/files ( https://github.com/Mbed-TLS/mbedtls/pull/5155/files ) CVE-2018-9989 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 2.8.0 Mbed TLS version https://nvd.nist.gov/vuln/detail/CVE-2018-9989 ( https://nvd.nist.gov/vuln/detail/CVE-2018-9989 ) CVE-2021-45451 Not sure it getting affected or not In Nist website, they mentioned like issue is in before 3.1.0 Mbed TLS version CVE-2020-36478 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.25.0. But our Mbed TLS version is 3.3.0 Add tag check to cert algorithm check · Mbed-TLS/mbedtls@ca17ebf ( https://github.com/Mbed-TLS/mbedtls/commit/ca17ebfbc02b57e2bcb42efe64a5f2002c756ea8 ) CVE-2018-9988 Not sure it getting affected or not But they provided the patch based on the Mbed TLS Version 2.8.0. But our Mbed TLS version is 3.3.0 https://nvd.nist.gov/vuln/detail/CVE-2018-9988 ( https://nvd.nist.gov/vuln/detail/CVE-2018-9988 ) CVE-2020-36476 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2021-45450 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2020-36475 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2018-0497 affected All versions of Mbed TLS from version 1.2 upwards, including
all 2.1, 2.7 and later releases Mbed TLS Security Advisory 2018-02 ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2018-02/ ) CVE-2020-36477 Not affected Based on the NIST website information, affected version is 2.24.0. CVE-2020-10941 Not sure it getting affected or not There is no sufficient details for affected and not affected details. CVE-2024-23170 affected Consumes the affected version. Affected versions are Mbed TLS 2.28.6 to 3.5.1 Timing side channel in private key RSA operations. — Mbed TLS documentation ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ ) CVE-2020-16150 affected All versions of Mbed TLS getting affected Local side channel attack on classical CBC decryption in (D)TLS ( https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2020-09-1/ ) CVE-2020-28928 Not affected because, we don’t have docker files https://github.com/apache/apisix-docker/pull/166/files ( https://github.com/apache/apisix-docker/pull/166/files )


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121360): https://edk2.groups.io/g/devel/message/121360
Mute This Topic: https://groups.io/mt/113066244/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 16084 bytes --]