SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Multiple Flaws Let Remote Users Deny Service
SecurityTracker Alert ID:  1031929
SecurityTracker URL:  http://securitytracker.com/id/1031929
CVE Reference:   CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787   (Links to External Site)
Updated:  Mar 19 2015
Original Entry Date:  Mar 16 2015
Impact:   Denial of service via network, Modification of system information, Not specified
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zf, 1.0.0r, 1.0.1m, 1.0.2a
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions on the target system.

A remote user can send a specially crafted ClientHello message to trigger a segmentation fault in DTLSv1_listen() and cause the target service to crash [CVE-2015-0207]. Only version 1.0.2 is affected. DTLS systems are affected. Per Allansson reported this vulnerability.

A remote user can send an ASN.1 signature using the RSA PSS algorithm and specially crafted parameters to cause the target application to crash [CVE-2015-0208]. Only version 1.0.2 is affected. Brian Carpenter reported this vulnerability.

A user can invoke the d2i_ECPrivateKey() function with a specially crafted EC private key file to trigger a memory free error and cause denial of service conditions [CVE-2015-0209]. Applications that receive EC private keys from untrusted sources may be affected. The BoringSSL project reported this vulnerability.

In certain situations, a client may complete a handshake with using an unseeded PRNG [CVE-2015-0285]. As a result, information generated (such as keys) may be predictable. Only version 1.0.2 is affected. Matt Caswell of the OpenSSL development team reported this vulnerability.

A remote user can send a specially crafted ASN.1 boolean type to trigger a flaw in the ASN1_TYPE_cmp() function and cause the target application to crash [CVE-2015-0286]. Stephen Henson of the OpenSSL development team reported this vulnerability.

A remote user can send specially crafted ASN.1 data to trigger a memory corruption error in the target application [CVE-2015-0287]. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. OpenSSL clients and servers are not affected. Emilia Kasper reported this vulnerability.

A user can invoke the X509_to_X509_REQ() function with an invalid certificate key to trigger a null pointer dereference and cause the target application to crash [CVE-2015-0288]. Brian Carpenter reported this vulnerability.

A remote user can send specially crafted ASN.1-encoded PKCS#7 blobs with missing ContentInfo to trigger a null pointer dereference and cause the target application to crash [CVE-2015-0289]. OpenSSL clients and servers are not affected. Michal Zalewski of Google and Emilia Kasper of the OpenSSL development team reported this vulnerability.

A remote user may be able to trigger a flaw in the 'multiblock' code on 64-bit x86 systems that support AES NI instructions and cause the target system to potentially crash [CVE-2015-0290]. Only version 1.0.2 is affected. Daniel Danner and Rainer Mueller reported this vulnerability.

A remote user can renegotiate with an invalid signature algorithm extension to trigger a null pointer dereference and cause the target service to crash [CVE-2015-0291]. Only version 1.0.2 is affected. David Ramos (@ramosbugs) of Stanford University reported this vulnerability.

A remote user can send base64 encoded data to trigger a flaw in OpenSSL and cause the target application or service to crash [CVE-2015-0292]. Versions 0.9.8, 1.0.0, and 1.0.1 are affected. Robert Dugal and David Ramos separately reported this vulnerability.

[Editor's note: This vulnerability was previously fixed in source code commits d0666f289a (1.0.1), 84fe686173 (1.0.0) and 9febee0272 (0.9.8) but was not disclosed in a security advisory.]

A remote user can send a specially crafted SSLv2 CLIENT-MASTER-KEY message to cause the target server to crash [CVE-2015-0293]. Systems that both support SSLv2 and enable export cipher suites are affected. Sean Burford of Google and Emilia Kasper of the OpenSSL development team reported this vulnerability.

A remote user can select a DHE ciphersuite and send a zero length ClientKeyExchange message to cause the target service to crash [CVE-2015-1787]. Only version 1.0.2 is affected. Matt Caswell of the OpenSSL development team reported this vulnerability.

Impact:   A remote user can cause denial of service conditions on the target system.

A remote user may be able to more readily predict keys in certain cases.

Solution:   The vendor has issued a fix (0.9.8zf, 1.0.0r, 1.0.1m, 1.0.2a).

The vendor's advisory is available at:

http://openssl.org/news/secadv_20150319.txt

Vendor URL:  openssl.org/news/secadv_20150319.txt (Links to External Site)
Cause:   Access control error, Randomization error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 19 2015 (FreeBSD Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
FreeBSD has issued a fix for FreeBSD 8.4, 9.3, and 10.1.
Mar 20 2015 (Ubuntu Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10.
Mar 24 2015 (Red Hat Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Mar 30 2015 (Red Hat Issues Fix for Red Hat Storage) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Storage Server 2.1.
Apr 13 2015 (Red Hat Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
May 4 2015 (Splunk Issues Fix for Splunk) OpenSSL Multiple Flaws Let Remote Users Deny Service
Splunk has issued a fix for Splunk Enterprise and Light.
May 16 2015 (IBM Issues Fix for IBM Power Hardware Management Console) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Power Hardware Management Console.
May 20 2015 (HP Issues Fix for HP-UX) OpenSSL Multiple Flaws Let Remote Users Deny Service
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
May 29 2015 (Splunk Issues Fix for Splunk Enterprise) OpenSSL Multiple Flaws Let Remote Users Deny Service
Splunk has issued a fix for Splunk Enterprise.
Jun 3 2015 (Juniper Issues Advisory for Juniper SBR Carrier) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued an advisory for Juniper SBR Carrier.
Jun 3 2015 (Juniper Issues Fix for Juniper ScreenOS) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued a fix for Juniper ScreenOS.
Jun 3 2015 (Juniper Issues Advisory for Juniper SRC) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued an advisory for Juniper SRC.
Jun 3 2015 (Juniper Issues Fix for Juniper Pulse Secure) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued a fix for Juniper Pulse Secure.
Jun 3 2015 (Juniper Issues Fix for Juniper NSM) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued a fix for Juniper NSM.
Jun 3 2015 (Juniper Issues Fix for Juniper Junos Space) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued an advisory for Juniper Junos Space.
Jun 3 2015 (Juniper Issues Advisory for Juniper IDP) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued an advisory for Juniper IDP.
Jun 3 2015 (Juniper Issues Fix for Juniper Junos) OpenSSL Multiple Flaws Let Remote Users Deny Service
Juniper has issued a fix for Juniper Junos.
Jun 19 2015 (IBM Issues Fix for IBM Security Network Protection) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Security Network Protection.
Jul 7 2015 (IBM Issues Fix for IBM Cognos Metrics Manager) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Cognos Metrics Manager.
Jul 17 2015 (Brocade Communications Systems Issues Advisory for Brocade Switches) OpenSSL Multiple Flaws Let Remote Users Deny Service
Brocade Communications Systems has issued an advisory for Brocade Switches.
Jul 22 2015 (HP Issues Fix for HP System Management Homepage) OpenSSL Multiple Flaws Let Remote Users Deny Service
HP has issued a fix for HP System Management Homepage.
Aug 13 2015 (IBM Issues Fix for IBM Tivoli Provisioning Manager for OS Deployment) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Tivoli Provisioning Manager for OS Deployment.
Aug 20 2015 (HP Issues Fix for HP Version Control Agent) OpenSSL Multiple Flaws Let Remote Users Deny Service
HP has issued a fix for HP Version Control Agent.
Aug 21 2015 (NetBSD Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, 6.1.
Aug 27 2015 (IBM Issues Fix for IBM Tivoli Common Reporting) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Tivoli Common Reporting.
Aug 30 2015 (IBM Issues Fix for IBM Tivoli Workload Scheduler) OpenSSL Multiple Flaws Let Remote Users Deny Service
IBM has issued a fix for IBM Tivoli Workload Scheduler.
Sep 17 2015 (Apple Issues Fix for Apple iOS) OpenSSL Multiple Flaws Let Remote Users Deny Service
Apple has issued a fix for Apple iOS.
Oct 1 2015 (Apple Issues Fix for Apple OS X) OpenSSL Multiple Flaws Let Remote Users Deny Service
Apple has issued a fix for Apple OS X.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6.2, 6.4, and 6.5.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 5.6 and 5.9.
Mar 9 2016 (Red Hat Issues Fix) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Mar 15 2016 (Red Hat Issues Fix for JBoss Web Server) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for JBoss Web Server.
Mar 22 2016 (Red Hat Issues Fix for JBoss Enterprise Application Platform) OpenSSL Multiple Flaws Let Remote Users Deny Service
Red Hat has issued a fix for JBoss EAP for Windows and Solaris.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL Multiple Flaws Let Remote Users Deny Service
Citrix has issued a fix for Citrix NetScaler.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC