SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1034294
SecurityTracker URL:  http://securitytracker.com/id/1034294
CVE Reference:   CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196   (Links to External Site)
Date:  Dec 5 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zh, 1.0.0t, 1.0.1q, 1.0.2e
Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can cause the target service to crash. A remote user can obtain potentially sensitive information on the target system.

A remote server can send a specially crafted ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0 to potentially cause the target service to crash [CVE-2015-1794]. Version 1.0.2 is affected.

The vendor was notified on August 3, 2015.

Guy Leaver (Cisco) reported this vulnerability.

A remote user can exploit a carry propagation flaw in BN_mod_exp() to potentially determine information about the private key in certain situations [CVE-2015-3193].

Systems configured for persistent DH parameters and sharing a private key between multiple clients are affected. Version 1.0.2 is affected.

The vendor was notified on August 13, 2015.

Hanno Bock reported this vulnerability.

A remote user can send a certificate with a specially crafted ASN.1 signature that uses the RSA PSS algorithm and does not contain the mast generation function parameter to trigger a null pointer dereference and crash [CVE-2015-3194]. Versions 1.0.1 and 1.0.2 are affected.

The vendor was notified on August 27 2015.

Loic Jonas Etienne (Qnective AG) reported this vulnerability.

A remote user can supply a specially crafted X509_ATTRIBUTE structure to trigger a memory leak and potentially disclose sensitive information [CVE-2015-3195]. Applications that read PKCS#7 or CMS data from untrusted sources are affected. SSL/TLS is not affected.

The vendor was notified on November 9, 2015.

Adam Langley (Google/BoringSSL) reported this vulnerability.

A remote user can send send PSK identity hints to a multi-threaded client to trigger a race condition and then a double free memory error and cause the target service to crash [CVE-2015-3196]. Versions 1.0.0, 1.0.1 (prior to 1.0.1p), and 1.0.2 (prior to 1.0.2d) are affected.

Impact:   A remote user can cause the target service to crash.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (0.9.8zh, 1.0.0t, 1.0.1q, 1.0.2e).

The vendor's advisory is available at:

https://www.openssl.org/news/secadv/20151203.txt

Vendor URL:  www.openssl.org/news/secadv/20151203.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 5 2015 (FreeBSD Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
FreeBSD has issued a fix for FreeBSD 9.3, 10.1, and 10.2.
Dec 7 2015 (Ubuntu Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.04, and 15.10.
Dec 14 2015 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Dec 14 2015 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Dec 18 2015 (CentOS Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
CentOS has issued a fix for CentOS 5.
Dec 18 2015 (CentOS Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
CentOS has issued a fix for CentOS 6 and 7.
Jan 19 2016 (IBM Issues Fix for IBM AIX) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Jan 20 2016 (Oracle Issues Fix for Oracle HTTP Server) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle HTTP Server.
Jan 26 2016 (HP Issues Fix for HP IceWall) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HP has issued a fix for HP IceWall File Manager and IceWall Federation Agent.
Jan 26 2016 (HP Issues Fix for HP IceWall) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HP has issued a fix for HP IceWall.
Apr 5 2016 (IBM Issues Fix for IBM Tivoli Endpoint Manager for Remote Control) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM Tivoli Endpoint Manager for Remote Control.
Apr 20 2016 (Oracle Issues Fix for Oracle Health Sciences Applications) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Health Sciences Applications.
Apr 20 2016 (Oracle Issues Fix for Oracle VM VirtualBox) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle VM VirtualBox.
Apr 20 2016 (Oracle Issues Fix for Sun Ray) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Sun Ray.
Apr 20 2016 (Oracle Issues Fix for Oracle Fusion Middleware) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Fusion Middleware/Oracle Exalogic Infrastructure.
Apr 20 2016 (Oracle Issues Fix for Oracle API Gateway) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Fusion Middleware/Oracle API Gateway.
Apr 22 2016 (IBM Issues Fix for IBM Tivoli Netcool System Service Monitor) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM Tivoli Netcool System Service Monitor 4.0.0 and 4.0.1.
May 7 2016 (HP Issues Fix for HPE System Management Homepage) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HP has issued a fix for HPE System Management Homepage.
May 16 2016 (HP Issues Fix for HPE Systems Insight Manager) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HP has issued a fix for HPE Systems Insight Manager.
May 21 2016 (Brocade Communications Systems Issues Fix for Brocade Fabric OS) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Brocade Communications Systems has issued a fix for Brocade Fabric OS.
May 21 2016 (Brocade Communications Systems Issues Fix for Brocade Network OS) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Brocade Communications Systems has issued a fix for Brocade Network OS.
May 21 2016 (Brocade Communications Systems Issues Fix for Brocade 5400 and 5600 vRouters) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Brocade Communications Systems has issued a fix for Brocade 5400 and 5600 vRouters.
Jun 3 2016 (HP Issues Fix for HPE BladeSystem) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HP has issued a fix for HPE BladeSystem.
Jul 8 2016 (IBM Issues Fix for IBM BladeCenter Advanced Management Module) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM BladeCenter Advanced Management Module.
Aug 19 2016 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.
Feb 22 2017 (HPE Issues Fix for HPE Intelligent Management Center) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
HPE has issued a fix for HPE Intelligent Management Center.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC