Upstream information
Description
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 6.8 |
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
| National Vulnerability Database | |
|---|---|
| Base Score | 8.1 |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Access Vector | Network |
| Access Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3 |
- openSUSE-SU-2017:2731-1, published Tue, 17 Oct 2017 00:07:26 +0200 (CEST)
- openSUSE-SU-2017:2736-1, published Tue, 17 Oct 2017 00:11:34 +0200 (CEST)
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Package Hub for SUSE Linux Enterprise 12 |
| Patchnames: openSUSE-2017-1156 |
| openSUSE Leap 42.2 |
| Patchnames: openSUSE-2017-1156 |
| openSUSE Leap 42.3 |
| Patchnames: openSUSE-2017-1156 |
