How to Fix CVE-2023-2650- A Type Confusion Vulnerability in OpenSSL?

Question

The error message you seeing is indicating that my system has not been updated to the latest version of OpenSSL, which includes a fix for the CVE-2023-2650 vulnerability. how To fix this:

Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease                                                           
Hit:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease                                                                                     
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                         
Hit:4 https://packages.microsoft.com/repos/edge stable InRelease                                                                
Hit:5 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease 
Hit:6 https://esm.ubuntu.com/cis/ubuntu jammy InRelease
Hit:7 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Hit:8 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease
Hit:9 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease
Hit:10 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease
Hit:11 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
#
The following packages have been kept back:
  libspeechd2 speech-dispatcher speech-dispatcher-audio-plugins speech-dispatcher-espeak-ng
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

openssl version:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

You mention a version but the package version is what matters (which I didn't see you provide. Reading https://ubuntu.com/security/CVE-2023-2650 will tell you package 3.0.2-0ubuntu1.10 contains the fix - do you have it? I don't see the message as saying you don't have it; only alerting you to check you have. — guiverc, Jul 12 '23 at 07:50
Does this answer your question? How can I tell if a CVE has been fixed in Ubuntu's repositories? — muru, Jul 12 '23 at 07:54
Sorry, my dear friend, I thought it was a system problem. Excuse me, I am new to the Linux world <3 — Hossam Nabil, Jul 12 '23 at 07:55
We all start somewhere/sometime, and asking questions is a great way to learn. FYI: Ubuntu is a stable release system, where fixes are backported to the existing version; thus why package versions are more useful in checking rather than version of the software (as version of software won't change; it'll just get fixes backported to it; there are cases where it's more work to backport fixes than provide a new version - but those cases are extremely rare & avoided wherever possible as it's against the stable release model, stable release model often preferred by enterprise users) — guiverc, Jul 12 '23 at 08:00
To be fair, it would be less confusing if apt didn't show the warning when the updated package has been installed. I'm still seeing it too, kinda silly. To get your package version you can use apt list openssl — GammaGames, Jul 12 '23 at 14:59
Please reopen the question. This is not a duplicate question as the apt upgrade message # An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1: is new. I received this message today for the first time on 22.02. The duplicate link was from eight years ago and none of the answers seem applicable/relevant. — Jaydin, Jul 12 '23 at 23:31
I agree the marking this post as duplicate to a 2014 one is quiet confusing. @guiverc do you have the relevant privileges to re-open? And/or to turn your comment into an answer? Thanks! — Matifou, Jul 13 '23 at 10:16
@Matifou no I'm just a user on this site (my rep. rates me a 'TU' but that's still a user) To me the question is a duplicate... and my guess as to what would be 'fitting' for how this site is intended to run (as I understand it), is another answer on that duplicate using detail from this question as an example (maybe inc. apt news output, with detail from my first comment with example (apt cache policy maybe to get package version of installed) & reading the CVE notice & comparison etc.. That would be the site appropriate approach as I see it anyway — guiverc, Jul 13 '23 at 11:05
I can't answer the question because someone flagged is as duplicate, which it is clearly not - facepalm. Anyway you can turn off these messages with sudo pro config set apt_news=False — Bojan Kseneman, Jul 14 '23 at 11:24
You can also run sudo pro fix CVE-2023-2650 which shows that this CVE affects two packages, one of which is not yet fixed: 1 package is still affected: edk2. Apparently (according to the message), Ubuntu Security Engineers are working on a fix — darthbith, Jul 15 '23 at 01:03
@darthbith In my case we don't have edk2 installed and the command you give prints "1/1 openssl", then goes on to display CVE-2023-2650 is resolved. However, the warning is still printed by all apt commands even after it agrees that the bug is fixed, so turning it off with Bojan's comment is still unfortunately required. — Ti Strga, Jul 15 '23 at 15:36
@darthbith if you have nodejs installed: 1 package is still affected: nodejs - Sorry, no fix is available yet. which IMHO is unsettling — GrafiCode, Jul 16 '23 at 12:16

Artur Meinild · Answer 1 · 2023-12-14T06:23:52.130

Your assumptions are unfortunately wrong. Let me decipher the message for you.

# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.

This is a service message telling you that there is a security update for OpenSSL. It's not an error, warning or anything like that at all.

The following packages have been kept back:
  libspeechd2 speech-dispatcher speech-dispatcher-audio-plugins speech-dispatcher-espeak-ng
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Since there is 4 packages held back, and none to be upgraded, it's evident that OpenSSL is already upgraded to the latest version.

If you run apt policy openssl you'll get:

openssl:
  Installed: 3.0.2-0ubuntu1.10 
  Candidate: 3.0.2-0ubuntu1.10
  Version table: 
  ...

This is the latest upgraded version (as of August 2023).

The apt message is only a service, known as "APT News". To remove those messages, see this Q&A.

score 1 · Answer 2 · answered Aug 03 '23 at 18:50

This is still popping up for me. If you know the patched version (3.0.2-0ubuntu1.10), you can check your installed version with apt list openssl:

openssl/jammy-security,jammy-updates,now 3.0.2-0ubuntu1.10 amd64 [installed]

I haven't been able to get the warning to go away when I run sudo apt upgrade, but you can run sudo pro fix CVE-2023-2650 to check if you have any other vulnerable packages:

CVE-2023-2650: OpenSSL vulnerability
 - https://ubuntu.com/security/CVE-2023-2650
No affected source packages are installed.
✔ CVE-2023-2650 does not affect your system.

See here to remove those apt messages. – Artur Meinild Aug 03 '23 at 20:17 — Artur Meinild, Aug 03 '23 at 20:17

How to Fix CVE-2023-2650- A Type Confusion Vulnerability in OpenSSL?

2 Answers2