Lucene search

K
amazonAmazonALAS-2012-062
HistoryApr 05, 2012 - 12:49 p.m.

Medium: openssl

2012-04-0512:49:00
alas.aws.amazon.com
15

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.114 Low

EPSS

Percentile

95.1%

Issue Overview:

A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages. (CVE-2012-1165)

A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times. (CVE-2012-0884)

Affected Packages:

openssl

Issue Correction:
Run yum update openssl to update your system.

New Packages:

i686:  
    openssl-devel-1.0.0g-2.39.amzn1.i686  
    openssl-static-1.0.0g-2.39.amzn1.i686  
    openssl-perl-1.0.0g-2.39.amzn1.i686  
    openssl-debuginfo-1.0.0g-2.39.amzn1.i686  
    openssl-1.0.0g-2.39.amzn1.i686  
  
src:  
    openssl-1.0.0g-2.39.amzn1.src  
  
x86_64:  
    openssl-1.0.0g-2.39.amzn1.x86_64  
    openssl-static-1.0.0g-2.39.amzn1.x86_64  
    openssl-debuginfo-1.0.0g-2.39.amzn1.x86_64  
    openssl-perl-1.0.0g-2.39.amzn1.x86_64  
    openssl-devel-1.0.0g-2.39.amzn1.x86_64  

Additional References

Red Hat: CVE-2012-0884, CVE-2012-1165

Mitre: CVE-2012-0884, CVE-2012-1165

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.114 Low

EPSS

Percentile

95.1%