CVE-2015-0288

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zf OpenSSL versions prior to 1.0.0r OpenSSL versions prior to 1.0.1m OpenSSL versions prior to 1.0.2a

Description The issue concerns multiple vulnerabilities in the OpenSSL package that could lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely, potentially causing a denial of service (NULL pointer dereference and application crash) via an invalid certificate key. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For OpenSSL versions prior to 0.9.8zf, update to version 0.9.8zf or later. For OpenSSL versions prior to 1.0.0r, update to version 1.0.0r or later. For OpenSSL versions prior to 1.0.1m, update to version 1.0.1m or later. For OpenSSL versions prior to 1.0.2a, update to version 1.0.2a or later. As a temporary workaround, consider restricting access to the X509 to X509 REQ function in crypto/x509/x509 req.c until a patch is available.