PT-2014-1699 · Openssl+7 · Openssl+7

Published

2014-08-06

·

Updated

2024-06-15

·

CVE-2014-3508

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 through 0.9.8zb OpenSSL versions 1.0.0 through 1.0.0n OpenSSL versions 1.0.1 through 1.0.1i
Description The issue arises from the OBJ obj2txt function in OpenSSL when pretty printing is used, as it does not ensure the presence of '0' characters. This allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from functions such as X509 name oneline and X509 name print ex.
Recommendations For OpenSSL versions 0.9.8 through 0.9.8zb, update to version 0.9.8zb or later. For OpenSSL versions 1.0.0 through 1.0.0n, update to version 1.0.0n or later. For OpenSSL versions 1.0.1 through 1.0.1i, update to version 1.0.1i or later. As a temporary workaround, consider disabling pretty printing in the OBJ obj2txt function until a patch is available.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2014-2312
BDU:2015-00649
CESA-2014_1052
CVE-2014-3508
DLA-33-1
DSA-2998-1
HPSBUX03095
MGASA-2014-0325
OPENSUSE-SU-2016_0640-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10309-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2014:1052
RHSA-2014:1053
RHSA-2014:1054
RHSA-2014_1052
RHSA-2014_1053
SUSE-FU-2022:0445-1
SUSE-RU-2015:0769-1
SUSE-SU-2015:0182-2
SUSE-SU-2015:0543-1
SUSE-SU-2015:0545-1
SUSE-SU-2015:0545-2
SUSE-SU-2015:0546-1
SUSE-SU-2015:0578-1
SUSE-SU-2015:1182-1
SUSE-SU-2015:1182-2
SUSE-SU-2015:1183-1
SUSE-SU-2015:1184-1
SUSE-SU-2015:1184-2
SUSE-SU-2015:1185-1
SUSE-SU-403
USN-2308-1

Affected Products

Alt Linux
Centos
Hp-Ux
Ibm Aix
Openssl
Red Hat
Suse
Ubuntu