OpenSSL Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | March 19, 2015 | March 20, 2015 | January 08, 2018 |
Description
The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2015-06-30-2
- APPLE-APPLE-SA-2015-09-16-1
- APPLE-APPLE-SA-2015-09-30-3
- BID-73225
- CVE-2015-0286
- DEBIAN-DSA-3197
- DISA_SEVERITY-Category I
- DISA_VMSKEY-V0060997
- DISA_VMSKEY-V0061081
- DISA_VMSKEY-V0061123
- DISA_VMSKEY-V0061471
- IAVM-2015-A-0135
- IAVM-2015-A-0154
- IAVM-2015-A-0160
- IAVM-2015-A-0222
- REDHAT-RHSA-2015:0715
- REDHAT-RHSA-2015:0716
- REDHAT-RHSA-2015:0752
- REDHAT-RHSA-2016:2957
- URL: https://www.openssl.org/news/secadv/20150319.txt
Solution
http-openssl-0_9_8-upgrade-0_9_8_z_fRelated Vulnerabilities
- Cent OS: CVE-2015-0286: CESA-2015:0716 (openssl)
- HP-UX: CVE-2015-0286: Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a remote Denial of Service (DoS) and other vulnerabilites.
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
- Amazon Linux AMI: Security patch for openssl (ALAS-2015-498) (multiple CVEs)
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 7
- DSA-3197-1 openssl -- security update
- Cisco NX-OS: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products (Multiple CVEs)
- Oracle Solaris 11: CVE-2015-0286: Vulnerability in OpenSSL
- RHSA-2015:0715: openssl security update
- USN-2537-1: OpenSSL vulnerabilities
- OS X update for Admin Framework (CVE-2015-0286)
- HP System Management Homepage - (Multiple Advisories) (CVE-2015-0286): Windows 2003, Multiple Vulnerabilities
- HP Systems Insight Manager - HPSBMU03394 (CVE-2015-0286): Linux and Windows, Multiple Vulnerabilities
- Oracle Linux: CVE-2015-0286: ELSA-2016-3558 - openssl security update
- IBM AIX: openssl_advisory13 (CVE-2015-0286): Vulnerabilities in OpenSSL affects AIX
- F5 Networks: K16317 (CVE-2015-0286): OpenSSL vulnerability CVE-2015-0286
- OS X update for OpenSSL (CVE-2015-0286)
- SUSE: CVE-2015-0286: SUSE Linux Security Advisory
- ELSA-2015-0715 Moderate: Oracle Linux openssl security update
- FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-15:06.openssl) (Multiple CVEs)
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
- ELSA-2015-2617 Moderate: Oracle Linux openssl security update
- RHSA-2015:0716: openssl security and bug fix update
- ELSA-2015-0800 Moderate: Oracle Linux openssl security update
- ELSA-2015-0716 Moderate: Oracle Linux openssl security and bug fix update