CVE-2015-0289

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zf OpenSSL versions prior to 1.0.0r OpenSSL versions prior to 1.0.1m OpenSSL versions prior to 1.0.2a

Description The issue affects the PKCS#7 implementation in OpenSSL, allowing attackers to cause a denial of service (NULL pointer dereference and application crash) by providing malformed data with ASN.1 encoding. This can be exploited remotely. The vulnerability may lead to a disruption of confidentiality, integrity, and availability of protected information.

Recommendations For versions prior to 0.9.8zf, update to version 0.9.8zf or later. For versions prior to 1.0.0r, update to version 1.0.0r or later. For versions prior to 1.0.1m, update to version 1.0.1m or later. For versions prior to 1.0.2a, update to version 1.0.2a or later. As a temporary workaround, consider restricting the processing of arbitrary PKCS#7 data to minimize the risk of exploitation.