PT-2015-1015 · Openssl+8 · Openssl+12
David Ramos
+1
·
Published
2014-10-24
·
Updated
2022-12-13
·
CVE-2015-0292
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions prior to 0.9.8za
OpenSSL versions prior to 1.0.0m
OpenSSL versions prior to 1.0.1h
Description
The issue affects the confidentiality, integrity, and availability of protected information. It can be exploited remotely, potentially leading to a denial of service or memory corruption via crafted base64 data that triggers a buffer overflow. The vulnerability is related to an integer underflow in the
EVP DecodeUpdate function in the base64-decoding implementation.Recommendations
For versions prior to 0.9.8za, update to version 0.9.8za or later.
For versions prior to 1.0.0m, update to version 1.0.0m or later.
For versions prior to 1.0.1h, update to version 1.0.1h or later.
As a temporary workaround, consider restricting access to the
EVP DecodeUpdate function until a patch is available. Avoid using crafted base64 data in the affected API endpoints until the issue is resolved.Exploit
Fix
DoS
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Centos
Cisco Asa
Cisco Ios
Cisco Ios Xe
Cisco Nexus
Cisco Wls
Hp-Ux
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu