PT-2015-1012 · Openssl+9 · Openssl+13
Emilia Käsper
·
Published
2014-10-24
·
Updated
2024-06-15
·
CVE-2015-0287
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions prior to 0.9.8zf
OpenSSL versions prior to 1.0.0r
OpenSSL versions prior to 1.0.1m
OpenSSL versions prior to 1.0.2a
Description
The issue affects the OpenSSL package, which is used in various operating systems, including Red Hat Enterprise Linux. Exploitation of the vulnerabilities can lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerabilities can be exploited remotely. The ASN1 item ex d2i function in crypto/asn1/tasn dec.c does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
Recommendations
For OpenSSL versions prior to 0.9.8zf, update to version 0.9.8zf or later.
For OpenSSL versions prior to 1.0.0r, update to version 1.0.0r or later.
For OpenSSL versions prior to 1.0.1m, update to version 1.0.1m or later.
For OpenSSL versions prior to 1.0.2a, update to version 1.0.2a or later.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Centos
Cisco Asa
Cisco Ios
Cisco Ios Xe
Cisco Nexus
Cisco Wls
Hp-Ux
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu