PT-2014-1699 · Openssl+7 · Openssl+7

Publicado

2014-08-06

·

Atualizado

2024-06-15

·

CVE-2014-3508

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 through 0.9.8zb OpenSSL versions 1.0.0 through 1.0.0n OpenSSL versions 1.0.1 through 1.0.1i
Description The issue arises from the OBJ obj2txt function in OpenSSL when pretty printing is used, as it does not ensure the presence of '0' characters. This allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from functions such as X509 name oneline and X509 name print ex.
Recommendations For OpenSSL versions 0.9.8 through 0.9.8zb, update to version 0.9.8zb or later. For OpenSSL versions 1.0.0 through 1.0.0n, update to version 1.0.0n or later. For OpenSSL versions 1.0.1 through 1.0.1i, update to version 1.0.1i or later. As a temporary workaround, consider disabling pretty printing in the OBJ obj2txt function until a patch is available.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

ALT-PU-2014-2312
BDU:2015-00649
CESA-2014_1052
CVE-2014-3508
DLA-33-1
DSA-2998-1
HPSBUX03095
MGASA-2014-0325
OPENSUSE-SU-2016_0640-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10309-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2014:1052
RHSA-2014:1053
RHSA-2014:1054
RHSA-2014_1052
RHSA-2014_1053
SUSE-FU-2022:0445-1
SUSE-RU-2015:0769-1
SUSE-SU-2015:0182-2
SUSE-SU-2015:0543-1
SUSE-SU-2015:0545-1
SUSE-SU-2015:0545-2
SUSE-SU-2015:0546-1
SUSE-SU-2015:0578-1
SUSE-SU-2015:1182-1
SUSE-SU-2015:1182-2
SUSE-SU-2015:1183-1
SUSE-SU-2015:1184-1
SUSE-SU-2015:1184-2
SUSE-SU-2015:1185-1
SUSE-SU-403
USN-2308-1

Produtos afetados

Alt Linux
Centos
Hp-Ux
Ibm Aix
Openssl
Red Hat
Suse
Ubuntu