CVE-2015-1789

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 through 0.9.8zg OpenSSL versions 1.0.0 through 1.0.0s OpenSSL versions 1.0.1 through 1.0.1n OpenSSL versions 1.0.2 through 1.0.2b

Description The issue is related to the X509 cmp time function, which does not properly check the length of the ASN1 TIME string and can read a few bytes out of bounds. This can allow remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1 TIME data. The vulnerability can be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory.

Recommendations For OpenSSL versions 0.9.8 through 0.9.8zg, update to version 0.9.8zg or later. For OpenSSL versions 1.0.0 through 1.0.0s, update to version 1.0.0s or later. For OpenSSL versions 1.0.1 through 1.0.1n, update to version 1.0.1n or later. For OpenSSL versions 1.0.2 through 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider restricting the use of the X509 cmp time function until a patch is available.