CVE-2002-0657

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.6e and earlier OpenSSL versions 0.9.7 before 0.9.7-beta3

Description The issue allows attackers to execute arbitrary code via a long master key when Kerberos is enabled. It is also possible to overflow a buffer on the remote system when an oversized SSL version 3 session ID is supplied. Additionally, a buffer overflow has been reported in the handling of the client key value during the negotiation of the SSLv2 protocol. Insufficient checking of bounds with regards to ASCII representations of integers on 64 bit platforms can also lead to buffer overflow conditions. A remotely exploitable denial of service condition has been reported in the OpenSSL ASN.1 library due to parsing errors.

Recommendations For OpenSSL versions 0.9.6e and earlier, update to a version later than 0.9.6e to resolve the issue. For OpenSSL versions 0.9.7 before 0.9.7-beta3, update to version 0.9.7-beta3 or later to resolve the issue. As a temporary workaround, consider disabling Kerberos for SSL version 3 to minimize the risk of exploitation. Restrict access to the SSLv2 protocol to minimize the risk of exploitation until the issue is resolved. Avoid using overly large values for ASCII representations of integers on 64 bit platforms until the issue is resolved.