—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in OpenSSL 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: MEDIUM

Software Affected

OpenSSL version 1.0.2

OpenSSL version 1.1.1

OpenSSL version 3.0

OpenSSL version 3.2

OpenSSL version 3.3

OpenSSL version 3.4

OpenSSL version 3.5

Overview

Multiple vulnerabilities have been reported in OpenSSL, which could be exploited by a remote attacker to execute arbitrary code, cause a denial of service condition, or disclose sensitive information on the targeted system.

Target Audience:

All end-user organisations and individuals using OpenSSL.

Risk Assessment:

Potential for data loss, compromise of sensitive information and service unavailability.

Impact Assessment:

Medium risk of system compromise and service disruption.

Description

OpenSSL is a free and open-source software for general-purpose cryptography and secure communication. It provides a robust, full-featured toolkit for implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Multiple vulnerabilities exist in OpenSSL due to an out-of-bounds read and write in RFC 3211 KEK Unwrap; a timing side-channel in the SM2 algorithm on 64-bit ARM; and an out-of-bounds read in the HTTP client no_proxy handling. A remote attacker could exploit these vulnerabilities by sending specially crafted inputs.

Successful exploitation of these vulnerabilities could allow by a remote attacker to execute arbitrary code, cause a denial of service condition, or disclose sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://openssl-library.org/news/secadv/20250930.txt

Vendor Information

OpenSSL

https://openssl-library.org/news/secadv/20250930.txt

References

OpenSSL

https://openssl-library.org/news/secadv/20250930.txt

CVE Name

CVE-2025-9230

CVE-2025-9231

CVE-2025-9232

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmjnuuEACgkQ3jCgcSdc

ys8P+g//SZlZqU7n3j0cwVHN/GivnR1Qxiswd3GJk/IdQFe8ikX4lFMHu5Pzrl08

3f3q2uQYzuVcSmneT09eTEVn+0x1UMqikqTKibb2qNInx7yRIKBQV2d+5JrjCLjM

41EMkyqNHAvdXGIpY9jqYIoYgAMRmOj396qF5rZWTczm2RBYeZI7slv71YgwKDzK

QORABK1nuvmDBB/CfziaNP/tcj340TBGas93I7xNOFTRuzhibA6TfH2yivZZzXVf

L5fvH2kVw+CFuWIc7IXx2XI3y7St+jHKg288jysRbVJ2K+x7i6RJtNZdUbR5l+Vl

3NjTqhqSZLfYafiggRGohU+zmxWoDruIcGl50e8YPLBxvJJIBkrbcuNQl0SjMYte

crSIjda4CzmWoeKuXd34xO83GG+VB1IRcUudCVgEc1OXkmtXnGA3wy4A9L9Ut9D8

ausR8xyKM9svvSuZ5MThvXMtiER0NRdtETjRm8u5za27blRTayj2rsvy+MmUoMMQ

Uw8MgWjTlvG+Se2iaHyQVt5yd6u5ccn+rziADvfFITTDlfSb9geNoH5OCH1Q42RZ

CnAOGxu38FuY6mM7o4jTGwIy2oeeuZWUetcq6zZbKiZvJfdtQJPlCXlg6pArTw5z

V75GEFWvfXCEB00fbE6GvesIutAsz20+AphWsSaVGY0eFqprXVQ=

=biyB

—–END PGP SIGNATURE—–