OpenSSL 3.5 x509 Application Trust Management Error Vulnerability

A vulnerability exists in OpenSSL 3.5 within the x509 application, where the -addreject option incorrectly adds a trusted use instead of marking it as rejected for a certificate. This issue arises from a code refactoring error and affects users who rely on the trusted certificate format and use the x509 command line application to manage rejected uses. As a result, a certificate intended to be rejected for a specific use may be mistakenly marked as trusted for that use.

Impact

The vulnerability can lead to improper trust management of certificates, allowing a certificate to be trusted for uses where it was intended to be rejected. This could cause issues in applications that rely on correct certificate trust policies, such as TLS or CMS.

Reproduction

To reproduce this vulnerability, use the OpenSSL x509 command line application version 3.5. Add a trusted use to a certificate and then attempt to mark a use as rejected using the -addreject option. The certificate will incorrectly reflect the rejected use as trusted instead.

Remediation

Users of OpenSSL 3.5 should upgrade to OpenSSL 3.5.1 once it is released. The fix is also available in the OpenSSL GitHub repository commit e96d2244.