CVE-2015-1793

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.1n through 1.0.1o OpenSSL versions 1.0.2b through 1.0.2c MySQL Server version 5.6.25 and earlier

Description The issue is related to the processing of X.509 Basic Constraints cA values during the identification of alternative certificate chains, which can allow remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. This can enable an attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks. The vulnerability affects applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication.

Recommendations For OpenSSL versions 1.0.1n through 1.0.1o, update to a version that addresses this vulnerability. For OpenSSL versions 1.0.2b through 1.0.2c, update to a version that addresses this vulnerability. For MySQL Server version 5.6.25 and earlier, update to a version that addresses this vulnerability. As a temporary workaround, consider restricting access to untrusted certificates to minimize the risk of exploitation. Avoid using the vulnerable X509 verify cert function until a patch is available.