7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Issue Overview:
LOGJAM: A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic. (CVE-2015-4000)
An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially-crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash. (CVE-2015-1789)
A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. (CVE-2015-1790)
A race condition was found in the session handling code of OpenSSL. An attacker could cause a multi-threaded SSL/TLS server to crash. (CVE-2015-1791)
A denial of service flaw was found in OpenSSL in the way it verified certain signed messages using CMS (Cryptographic Message Syntax). A remote attacker could cause an application using OpenSSL to use excessive amounts of memory by sending a specially-crafted message for verification. (CVE-2015-1792)
An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially-crafted message to the peer, which could cause the application to crash or potentially cause arbitrary code execution. (CVE-2014-8176)
A regression was found in the ssleay_rand_bytes() function. This could lead a multi-threaded application to crash. (CVE-2015-3216)
Affected Packages:
openssl
Issue Correction:
Run yum update openssl to update your system.
New Packages:
i686:
   openssl-devel-1.0.1k-10.86.amzn1.i686
   openssl-static-1.0.1k-10.86.amzn1.i686
   openssl-1.0.1k-10.86.amzn1.i686
   openssl-perl-1.0.1k-10.86.amzn1.i686
   openssl-debuginfo-1.0.1k-10.86.amzn1.i686
src:
   openssl-1.0.1k-10.86.amzn1.src
x86_64:
   openssl-1.0.1k-10.86.amzn1.x86_64
   openssl-static-1.0.1k-10.86.amzn1.x86_64
   openssl-devel-1.0.1k-10.86.amzn1.x86_64
   openssl-debuginfo-1.0.1k-10.86.amzn1.x86_64
   openssl-perl-1.0.1k-10.86.amzn1.x86_64
Red Hat: CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3216, CVE-2015-4000
Mitre: CVE-2014-8176, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3216, CVE-2015-4000
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | openssl-devel | <Â 1.0.1k-10.86.amzn1 | openssl-devel-1.0.1k-10.86.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-static | <Â 1.0.1k-10.86.amzn1 | openssl-static-1.0.1k-10.86.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl | <Â 1.0.1k-10.86.amzn1 | openssl-1.0.1k-10.86.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-perl | <Â 1.0.1k-10.86.amzn1 | openssl-perl-1.0.1k-10.86.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-debuginfo | <Â 1.0.1k-10.86.amzn1 | openssl-debuginfo-1.0.1k-10.86.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | openssl | <Â 1.0.1k-10.86.amzn1 | openssl-1.0.1k-10.86.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-static | <Â 1.0.1k-10.86.amzn1 | openssl-static-1.0.1k-10.86.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-devel | <Â 1.0.1k-10.86.amzn1 | openssl-devel-1.0.1k-10.86.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-debuginfo | <Â 1.0.1k-10.86.amzn1 | openssl-debuginfo-1.0.1k-10.86.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-perl | <Â 1.0.1k-10.86.amzn1 | openssl-perl-1.0.1k-10.86.amzn1.x86_64.rpm |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%