SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1032564
SecurityTracker URL:  http://securitytracker.com/id/1032564
CVE Reference:   CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792   (Links to External Site)
Date:  Jun 11 2015
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.8, 1.0.0, 1.0.1, 1.0.2
Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions on the target system. A remote authenticated user may be able to execute arbitrary code on the target system.

A remote authenticated user can send specially crafted application data to a connected DTLS peer between the ChangeCipherSpec and Finished messages to trigger an invalid memory free and cause a segmentation fault or memory corruption error and potentially execute arbitrary code [CVE-2014-8176]. Versions 0.9.8 prior to 0.9.8za, 1.0.0 prior to 1.0.0m, and 1.0.1 prior to 1.0.1h are affected.

Praveen Kariyanahalli and Ivan Fratric and Felix Groebert of Google separately reported this vulnerability.

A remote user can send specially crafted ECParameters to cause the target service to enter an infinite loop [CVE-2015-1788]. Applications that process public keys, certificate requests, or certificates are affected. TLS clients and TLS servers with client authentication enabled are affected. Versions 1.0.1 and 1.0.2 are affected.

Joseph Birr-Pixton reported this vulnerability on April 6, 2015.

A remote user can create a specially crafted certificate or certificate revocation list (CRL) that, when processed by the target application, will trigger an out-of-bound memory read in X509_cmp_time() and cause a segmentation fault [CVE-2015-1789]. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled and that use custom verification callbacks may be affected.

Robert Swiecki of Google reported this vulnerability on April 8, 2015 and Hanno Bock independently reported this vulnerability on April 11, 2015.

A remote user can create specially crafted ASN.1-encoded PKCS#7 data with a missing EnvelopedContent component to trigger a null pointer dereference [CVE-2015-1790]. Applications that decrypt or parse PKCS#7 data from untrusted sources are affected. OpenSSL clients and servers are not affected. The impact was not specified.

Michal Zalewski of Google reported this vulnerability on April 18, 2015.

A remote user can create a specially crafted signedData message that specifies an unknown hash function OID to trigger an infinite loop in the CMS code [CVE-2015-1792]. Applications that verify signedData messages using the CMS code are affected.

Johannes Bauer reported this vulnerability on March 31, 2015.

Impact:   A remote user can cause the target application to crash or enter an infinite loop.

A remote authenticated user may be able to execute arbitrary code on the target system.

The impact of one vulnerability was not disclosed.

Solution:   The vendor has issued a fix (0.9.8zg, 1.0.0s, 1.0.1n, 1.0.2b).

The vendor's advisory is available at:

http://openssl.org/news/secadv_20150611.txt

Vendor URL:  openssl.org/news/secadv_20150611.txt (Links to External Site)
Cause:   Access control error, Boundary error, Not specified, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 11 2015 (Ubuntu Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu 12.04 LTS, 14.04 LTS, 14.10, and 15.04.
Jun 12 2015 (FreeBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
FreeBSD has issued a fix for FreeBSD 8.4, 9.3, and 10.1.
Jun 16 2015 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Jun 17 2015 (Cisco Issues Advisory for Cisco Jabber Guest Server) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Jabber Guest Server.
Jun 17 2015 (Cisco Issues Advisory for Cisco Intrusion Prevention System) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Intrusion Prevention System.
Jun 17 2015 (Cisco Issues Advisory for Cisco Identity Services Engine) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Identity Services Engine.
Jun 18 2015 (Cisco Issues Advisory for Cisco TelePresence) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco TelePresence.
Jun 18 2015 (Cisco Issues Advisory for Cisco Enterprise Content Delivery System) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Enterprise Content Delivery System.
Jun 18 2015 (Cisco Issues Fix for Cisco Digital Media Players) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Digital Media Players.
Jun 18 2015 (Cisco Issues Advisory for Cisco Unified Intelligent Contact Management Enterprise) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Unified Intelligent Contact Management Enterprise.
Jun 18 2015 (Cisco Issues Advisory for Cisco Unified Contact Center Enterprise) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Unified Contact Center Enterprise.
Jun 18 2015 (Cisco Issues Advisory for Cisco NX-OS) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco NX-OS.
Jun 19 2015 (Cisco Issues Advisory for Cisco Prime Security Manager) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Prime Security Manager.
Jun 19 2015 (Cisco Issues Advisory for Cisco Network Analysis Module) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Network Analysis Module.
Jun 20 2015 (McAfee Issues Advisory for McAfee Vulnerability Manager) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued an advisory for McAfee Vulnerability Manager.
Jun 20 2015 (McAfee Issues Advisory for McAfee Asset Manager) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued an advisory for McAfee Asset Manager.
Jun 20 2015 (McAfee Issues Advisory for McAfee Agent) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued an advisory for McAfee Agent.
Jun 20 2015 (McAfee Issues Advisory for McAfee Email Gateway (IronMail)) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued an advisory for McAfee Email Gateway.
Jun 20 2015 (McAfee Issues Advisory for McAfee Email and Web Security Appliance) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued an advisory for McAfee Email and Web Security Appliance.
Jun 20 2015 (McAfee Issues Fix for McAfee Firewall Enterprise) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
McAfee has issued a fix for McAfee Firewall Enterprise.
Jun 30 2015 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Jul 15 2015 (IBM Issues Fix for IBM AIX) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Jul 16 2015 (CentOS Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
CentOS has issued a fix for CentOS 5.
Jul 18 2015 (Novell Issues Fix for Novell eDirectory) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Novell has issued a fix for Novell eDirectory.
Jul 21 2015 (Fortinet Issues Fix for Fortinet FortiADC) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiADC.
Jul 22 2015 (Fortinet Issues Fix for Fortinet FortiManager) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiManager.
Jul 22 2015 (Fortinet Issues Fix for Fortinet FortiAnalyzer) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiAnalyzer.
Jul 22 2015 (Fortinet Issues Fix for Fortinet FortiClient) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiClient.
Jul 22 2015 (Fortinet Issues Fix for Fortinet FortiMail) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiMail.
Jul 22 2015 (Fortinet Issues Fix for Fortinet FortiWeb) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Fortinet has issued an advisory for Fortinet FortiWeb.
Jul 22 2015 (Tenable Security Issues Fix for Nessus) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Tenable Security has issued a fix for Nessus.
Jul 28 2015 (OpenBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
OpenBSD has issued a fix for OpenBSD 5.6 and 5.7.
Jul 30 2015 (IBM Issues Fix for IBM Rational Developer for System z) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a Fix for IBM Rational Developer for System z.
Aug 6 2015 (IBM Issues Fix for IBM Security Network IPS) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Security Network IPS.
Aug 11 2015 (HP Issues Fix for HP-UX) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
HP has issued a fix for HP-UX 11.31.
Aug 21 2015 (NedtBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Aug 27 2015 (IBM Issues Fix for IBM Rational ClearCase) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Rational ClearCase.
Aug 30 2015 (IBM Issues Fix for IBM InfoSphere Guardium) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM InfoSphere Guardium.
Sep 9 2015 (IBM Issues Fix for IBM Security Proventia Network Enterprise Scanner) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Security Proventia Network Enterprise Scanner.
Sep 9 2015 (IBM Issues Fix for IBM Security Identity Manager Virtual Appliance) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Security Identity Manager Virtual Appliance.
Sep 15 2015 (IBM Issues Fix for IBM HTTP Server (IHS)) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM HTTP Server (IHS).
Sep 22 2015 (IBM Issues Fix for IBM InfoSphere Information Server) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM InfoSphere Information Server.
Sep 22 2015 (IBM Issues Fix for IBM Rational ClearCase) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Rational ClearCase.
Oct 5 2015 (IBM Issues Fix for IBM Rational ClearQuest) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Rational ClearQuest.
Oct 7 2015 (IBM Issues Fix for IBM DB2) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM DB2.
Oct 8 2015 (IBM Issues Fix for IBM Tivoli Netcool System Service Monitor) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Tivoli Netcool System Service Monitor.
Oct 8 2015 (IBM Issues Fix for IBM SPSS Modeler) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM SPSS Modeler.
Oct 19 2015 (IBM Issues Fix for IBM Rational Team Concert Build Agent) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Rational Team Concert Build Agent.
Nov 9 2015 (IBM Issues Fix for IBM WebSphere MQ on HP NonStop-HP/UX) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM WebSphere MQ on HP NonStop-HP/UX.
Nov 13 2015 (IBM Issues Fix for IBM WebSphere MQ for IBM i) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM WebSphere MQ for IBM i.
Dec 8 2015 (IBM Issues Fix for Informix Dynamic Server) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for Informix Dynamic Server.
Jan 4 2016 (IBM Issues Fix for IBM Content Manager Enterprise Edition) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Content Manager Enterprise Edition
Jan 20 2016 (Oracle Issues Fix for Oracle HTTP Server) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle HTTP Server.
Apr 20 2016 (Oracle Issues Fix for Sun SPARC Enterprise Server) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Oracle has issued a fix for Sun SPARC Enterprise Server.
Jun 3 2016 (HP Issues Fix for HPE BladeSystem) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
HP has issued a fix for HPE BladeSystem.
Aug 19 2016 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Citrix has issued a fix for Citrix NetScaler.
Oct 20 2016 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) OpenSSL Bugs Let Remote Users Deny Service and Potentially Execute Arbitrary Code
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC