Facebook Google Plus Twitter LinkedIn YouTube RSS Menú Buscar Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OpenSSL < 0.9.8zf / 1.0.0r / 1.0.1m / 1.0.2a Multiple Vulnerabilities

Medium

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The remote host is running a version of OpenSSL which is potentially affected by the following vulnerabilities :

- A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209)

- An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service. (CVE-2015-0286)

- A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize 'CHOICE' and 'ADB' data structures when reusing a structure in ASN.1 parsing. This allows a remote attacker to cause an invalid write operation and memory corruption, resulting in a denial of service. (CVE-2015-0287)

- A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing outer ContentInfo. This allows a remote attacker, using an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, to cause a denial of service. (CVE-2015-0288)

- The PKCS#7 implementation does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding. (CVE-2015-0289)

- A flaw exists in servers that both support SSLv2 and enable export cipher suites due to improper implementation of SSLv2. A remote attacker can exploit this, via a crafted CLIENT-MASTER-KEY message, to cause a denial of service. (CVE-2015-0293)

Soluciones

Upgrade to OpenSSL 0.9.8zf, 1.0.0r, 1.0.1m, 1.0.2a, or later.