CVE-2015-1792

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 through 0.9.8zg OpenSSL versions 1.0.0 through 1.0.0s OpenSSL versions 1.0.1 through 1.0.1n OpenSSL versions 1.0.2 through 1.0.2b

Description The issue is related to errors in resource management in the do free upto function, which can cause a denial of service (infinite loop) when presented with an unknown hash function OID. This can be triggered by an unrecognized X.660 OID for a hash function, allowing a remote attacker to cause a denial of service. The estimated number of potentially affected devices is not specified.

Recommendations For OpenSSL versions 0.9.8 through 0.9.8zg, update to version 0.9.8zg or later. For OpenSSL versions 1.0.0 through 1.0.0s, update to version 1.0.0s or later. For OpenSSL versions 1.0.1 through 1.0.1n, update to version 1.0.1n or later. For OpenSSL versions 1.0.2 through 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider restricting the use of the do free upto function until a patch is available. Avoid using unrecognized X.660 OIDs for hash functions in the affected API endpoints until the issue is resolved.