SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
SecurityTracker Alert ID:  1039726
SecurityTracker URL:  http://securitytracker.com/id/1039726
CVE Reference:   CVE-2017-3735   (Links to External Site)
Date:  Nov 2 2017
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can cause the certificate text to be displayed incorrectly.

A remote user can create an X.509 certificate with a specially crafted IPAddressFamily extension data that, when displayed by the target user, will trigger a one byte overread and cause the certificate text to be displayed incorrectly.

The Google OSS-Fuzz project reported this vulnerability.
Impact:   A remote user can cause the certificate text to be displayed incorrectly.
Solution:   The vendor has issued a fix (1.0.2m, 1.1.0g).

The vendor advisories are available at:

https://www.openssl.org/news/secadv/20170828.txt
https://www.openssl.org/news/secadv/20171102.txt
Vendor URL:  www.openssl.org/news/secadv/20170828.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 6 2017 (Ubuntu Issues Fix) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.04, and 17.10.
Nov 21 2017 (Tenable Network Security Issues Fix for Tenable SecurityCenter) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Tenable Network Security has issued a fix for Tenable SecurityCenter.
Nov 29 2017 (FreeBSD Issues Fix) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
FreeBSD has issued a fix for FreeBSD 10.3, 10.4, 11.0, and 11.1.
Dec 1 2017 (Blue Coat Systems Issues Advisory for Blue Coat ProxyAV) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Blue Coat Systems has issued an advisory for Blue Coat ProxyAV.
Dec 1 2017 (Blue Coat Systems Issues Advisory for Blue Coat ProxySG) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Blue Coat Systems has issued an advisory for Blue Coat ProxySG.
Dec 15 2017 (IBM Issues Fix for IBM AIX) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Apr 17 2018 (Ubuntu Issues Fix) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Ubuntu has issued a fix for Ubuntu Linux 12.04 ESM.
Apr 27 2018 (IBM Issues Fix for IBM InfoSphere Information Server) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
IBM has issued a fix for IBM InfoSphere Information Server.
Oct 30 2018 (Red Hat Issues Fix) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Nov 12 2018 (Oracle Issues Fix for Oracle Linux) OpenSSLX.509 IPAddressFamily Buffer Overread Lets Remote Users Cause Certificate Text to Be Displayed Incorrectly
Oracle has issued a fix for Oracle Linux 7.


 Source Message Contents
Subject:  https://www.openssl.org/news/secadv/20170828.txt


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC