OpenSSL DSA/ECDSA EVP_VerifyFinal spoofing (CVE-2008-5077)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:N/I:P/A:P) | January 07, 2009 | May 29, 2009 | February 13, 2015 |
Description
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
Solution
http-openssl-0_9_8-upgrade-0_9_8_jRelated Vulnerabilities
- USN-704-1: OpenSSL vulnerability
- ELSA-2012-0518 Important: Oracle Linux openssl security update
- ELSA-2009-0004 Important: Enterprise Linux openssl security update
- Sun Patch: SunOS 5.10: Kernel Patch
- RHSA-2009:0004: openssl security update
- Gentoo Linux: CVE-2008-5077: OpenSSL: Certificate validation error
- VMSA-2009-0004: Updated OpenSSL package (CVE-2008-5077)
- OS X update for OpenSSL (CVE-2008-5077)
- Cent OS: CVE-2008-5077: CESA-2009:0004 (OpenSSL)
- HP System Management Homepage - HPSBMA02426 (CVE-2008-5077): Linux and Windows Running PHP and OpenSSL, Remote Cross Site Scripting (XSS), Unauthorized Access
- Sun Patch: SunOS 5.10_x86: kernel patch
- SUSE Linux Security Vulnerability: CVE-2008-5077
- HP-UX: CVE-2008-5077: Running OpenSSL, Remote Unauthorized Access
- SUSE Linux Security Advisory: SUSE-SA:2009:006