10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.964 High
EPSS
Percentile
99.6%
Problem Description:
Several problems have been found in OpenSSL:
During the parsing of certain invalid ASN1 structures an
error condition is mishandled, possibly resulting in an
infinite loop.
A buffer overflow exists in the SSL_get_shared_ciphers
function.
A NULL pointer may be dereferenced in the SSL version 2
client code.
In addition, many applications using OpenSSL do not perform
any validation of the lengths of public keys being used.
Impact:
Servers which parse ASN1 data from untrusted sources may be
vulnerable to a denial of service attack.
An attacker accessing a server which uses SSL version 2 may
be able to execute arbitrary code with the privileges of that
server.
A malicious SSL server can cause clients connecting using
SSL version 2 to crash.
Applications which perform public key operations using
untrusted keys may be vulnerable to a denial of service
attack.
Workaround:
No workaround is available, but not all of the
vulnerabilities mentioned affect all applications.