CVE-2015-0286

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zf OpenSSL versions prior to 1.0.0r OpenSSL versions prior to 1.0.1m OpenSSL versions prior to 1.0.2a Red Hat Enterprise Linux (affected versions not specified)

Description The issue concerns multiple vulnerabilities in the OpenSSL package of Red Hat Enterprise Linux, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, the ASN1 TYPE cmp function in crypto/asn1/a type.c does not properly perform boolean-type comparisons, allowing remote attackers to cause a denial of service via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.

Recommendations For OpenSSL versions prior to 0.9.8zf, update to version 0.9.8zf or later. For OpenSSL versions prior to 1.0.0r, update to version 1.0.0r or later. For OpenSSL versions prior to 1.0.1m, update to version 1.0.1m or later. For OpenSSL versions prior to 1.0.2a, update to version 1.0.2a or later. For Red Hat Enterprise Linux, update the OpenSSL package to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to endpoints that use the certificate-verification feature until a patch is available.