Lucene search

K
amazonAmazonALAS-2015-614
HistoryDec 14, 2015 - 10:00 a.m.

Medium: openssl

2015-12-1410:00:00
alas.aws.amazon.com
27

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.94 High

EPSS

Percentile

99.1%

Issue Overview:

A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacked could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication. (CVE-2015-3194)

A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195)

A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client using OpenSSL. (CVE-2015-3196)

Affected Packages:

openssl

Issue Correction:
Run yum update openssl to update your system.

New Packages:

i686:  
    openssl-static-1.0.1k-13.88.amzn1.i686  
    openssl-debuginfo-1.0.1k-13.88.amzn1.i686  
    openssl-1.0.1k-13.88.amzn1.i686  
    openssl-devel-1.0.1k-13.88.amzn1.i686  
    openssl-perl-1.0.1k-13.88.amzn1.i686  
  
src:  
    openssl-1.0.1k-13.88.amzn1.src  
  
x86_64:  
    openssl-debuginfo-1.0.1k-13.88.amzn1.x86_64  
    openssl-1.0.1k-13.88.amzn1.x86_64  
    openssl-devel-1.0.1k-13.88.amzn1.x86_64  
    openssl-perl-1.0.1k-13.88.amzn1.x86_64  
    openssl-static-1.0.1k-13.88.amzn1.x86_64  

Additional References

Red Hat: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196

Mitre: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.94 High

EPSS

Percentile

99.1%