CVE-2015-0287

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zf OpenSSL versions prior to 1.0.0r OpenSSL versions prior to 1.0.1m OpenSSL versions prior to 1.0.2a

Description The issue affects the OpenSSL package, which is used in various operating systems, including Red Hat Enterprise Linux. Exploitation of the vulnerabilities can lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerabilities can be exploited remotely. The ASN1 item ex d2i function in crypto/asn1/tasn dec.c does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.

Recommendations For OpenSSL versions prior to 0.9.8zf, update to version 0.9.8zf or later. For OpenSSL versions prior to 1.0.0r, update to version 1.0.0r or later. For OpenSSL versions prior to 1.0.1m, update to version 1.0.1m or later. For OpenSSL versions prior to 1.0.2a, update to version 1.0.2a or later.