Third-Party Security Advisories

CVE-2025-11187 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not support PKCS#12.

CVE-2025-15467 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not support CMS.

CVE-2025-15468 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not use SSL_CIPHER_find().

CVE-2025-15469 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not use OpenSSL applications, including the "openssl dgst" command-line tool.

CVE-2025-66199 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not support CompressedCertificate. All compression algorithms (brotli, zlib, zstd) are disabled by default.

CVE-2025-68160 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not have a use case for BIO_f_linebuffer.

CVE-2025-69418 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg has OCB disabled by default.

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not support PKCS#12.

CVE-2025-69420 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg has TS disabled by default.

CVE-2025-69421 – OpenSSL

Recommendation:

Not a problem for EDK2. EDK2 CryptoPkg does not support PKCS#12.

CVE-2025-9232- OpenSSL

Recommendation

Not a problem for EDK2. The OpenSSL HTTP implementation is not used by EDK2. EDK2 has its own HTTP implementation in NetworkPkg.

CVE-2025-9231- OpenSSL

Recommendation

Not a problem for EDK2. SM2 is not used by EDK2 CryptoPkg.

Recommendation

Not a problem for EDK2. CMS is not used by EDK2 CryptoPkg.

Recommendation

Not a problem for EDK2. The OpenSSL API to enable Raw Public Keys (RPKs) is not available to users of EDK2 CryptoPkg.

Recommendation

Not a problem for EDK2. GF(2^M) Curves (EC2M) are not enabled in EDK2 CryptoPkg.

Recommendation

Impacts EDK2 TlsLib. The issue is only applicable to OpenSSL 3.* branches. Recommend moving to OpenSSL 3.0.15.

The issue does not impact OpenSSL 1.1.1 branch.

Recommendation

Not a problem for EDK2. EDK2 does not call the SSL_select_next_proto function.

Recommendation

Not a problem for EDK2. EDK2 does not directly call the SSL_free_buffers function.

Recommendation

Not a problem for EDK2. EDK2 does not support DSA.

Recommendation

Not a problem for EDK2. This CVE only affects TLS servers supporting TLSv1.3. EDK2 does not support TLS server configurations. EDK2 does not support TLSv1.3.

Recommendation

Not a problem for EDK2. EDK2 CryptoPkg does not use the PKCS12 implementation or the SMIME_write_PKCS7() function.

Recommendation

No impact. The EDK2 CryptoPkg does not use the OpenSSL function EVP_PKEY_public_check().

Recommendation

No impact. The OpenSSL POLY1305 implementation is disabled by default in the EDK2 CryptoPkg configuration.

Recommendation

No impact. The affected DH params are not used by EDK2. EDK2 does not call any DH_check* related functions.

Recommendation

No impact. The affected functions that change the key and IV lengths are not called by EDK2 CryptoPkg.

Recommendation

No impact. The OpenSSL POLY1305 implementation is disabled by default in the CryptoPkg configuration.

No impact. DH code is used in CryptDh.c and TlsLib. In CryptoDh.c, EDK2 does not use DH_check() related functions and existing functions will not call into DH_check(). The TlsLib implementation is not affected by this issue.

CVE-2023-3446 - OpenSSL

Published: 07/19/2023

Recommendation

No impact. The DH code of EDK2 does not call the DH_check() and related functions, or have the risk of using “p” parameters that are too large.

CVE-2023-2975 - OpenSSL

Published: 07/14/2023

Recommendation

No impact. The OpenSSL AES-SIV cipher implementation is disabled by default in the CryptoPkg configuration.

CVE-2023-2650 - OpenSSL

Published: 05/30/2023

Recommendation

OpenSSL 1.1.1u, updated in the edk2-stable202308 stable tag

CVE-2023-0466 - OpenSSL

Published: 03/28/2023

Recommendation

No Impact

EDK2 does not use the OpenSSL function X509_VERIFY_PARAM_add0_policy().

CVE-2023-0465 - OpenSSL

Published: 03/28/2023

Recommendation

No Impact

According to the CVE description, ‘policy’ processing is disabled by default.

For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)

In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)

For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)

CVE-2023-0464 - OpenSSL

Published: 03/22/2023

Recommendation

No Impact

According to the CVE description, ‘policy’ processing is disabled by default.

For PKCS7, the X509 default parameter is used (NULL is passed in CryptoPkg\Library\BaseCryptLib\Pk\CryptPkcs7VerifyCommon.c)

In X509_STORE_CTX_init(), ‘default’ parameter is used (CryptoPkg\Library\OpensslLib\openssl\crypto\x509\x509_vfy.c)

For X509 verify, no policy parameter is set (CryptoPkg\Library\BaseCryptLib\Pk\CryptX509.c)

CVE-2023-0286 - OpenSSL

Published: 02/08/2023

Recommendation

No impact to EDK2 updating will resolve CVE

OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2023-0215 - OpenSSL

Published: 02/08/2023

Recommendation

OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2022-4450 - OpenSSL

Published: 02/08/2023

Recommendation

OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag

CVE-2022-4304 - OpenSSL

Published: 02/08/2023

Recommendation

OpenSSL 1.1.1t, updated in the edk2-stable202305 stable tag