CVE-2015-1790

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zg OpenSSL versions prior to 1.0.0s OpenSSL versions prior to 1.0.1n OpenSSL versions prior to 1.0.2b

Description The issue is related to the PKCS7 dataDecode function in OpenSSL, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. This is due to errors in pointer handling. The vulnerability can be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory.

Recommendations For versions prior to 0.9.8zg, update to version 0.9.8zg or later. For versions prior to 1.0.0s, update to version 1.0.0s or later. For versions prior to 1.0.1n, update to version 1.0.1n or later. For versions prior to 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider only accepting PKCS7 files from trusted sources.