CVE-2002-0656

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.5a through 0.9.6e OpenSSL versions 0.9.7-beta2 and earlier

Description Multiple vulnerabilities in the OpenSSL package may lead to disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The issues include buffer overflows in SSL2 and SSL3, allowing remote attackers to execute arbitrary code via a large client master key or a large session ID. Additionally, there are buffer overflows in the handling of the client key value during the negotiation of the SSLv2 protocol and insufficient checking of bounds with regards to ASCII representations of integers on 64-bit platforms. A remotely exploitable denial of service condition has also been reported in the OpenSSL ASN.1 library due to parsing errors.

Recommendations For OpenSSL versions 0.9.5a through 0.9.6e, update to a version later than 0.9.6e to resolve the issue. For OpenSSL versions 0.9.7-beta2 and earlier, update to a version later than 0.9.7-beta2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable SSL and TLS protocols until a patch is available. Restrict access to the vulnerable ASN.1 library to minimize the risk of exploitation. Avoid using overly large values in SSL and TLS connections to prevent buffer overflows.