Lucene search

K
ibmIBM89E28DE00B780208C4738BFA3895A8309DBA6F3C9B16E54D09B45E894A59C215
HistoryJun 18, 2018 - 12:09 a.m.

Security Bulletin: Vulnerabilities in OpenSSL affect Real-time Compression CVE-2015-0209 CVE-2015-0286 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0292 CVE-2015-0293

2018-06-1800:09:39
www.ibm.com
7

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

OpenSSL vulnerabilities were disclosed on March 19, 2015 by the OpenSSL Project. OpenSSL is used by Real-time Compression Appliance. Real-time Compression Appliance has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-0209DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error in the d2i_ECPrivateKey or EVP_PKCS82PKEY function. An attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system and cause a denial of service.CVSS Base Score: 7.5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101674 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0286DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the ASN1_TYPE_cmp function when attempting to compare ASN.1 boolean types. An attacker could exploit this vulnerability to crash any certificate verification operation and cause a denial of service.CVSS Base Score: 5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101666 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0287DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the reuse of a structure in ASN.1 parsing. An attacker could exploit this vulnerability using an invalid write to corrupt memory and execute arbitrary code on the system.CVSS Base Score: 7.5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101668 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0288DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error in the X509_to_X509_REQ function. An attacker could exploit this vulnerability to trigger a NULL pointer dereference.CVSS Base Score: 5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101675 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0289DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the failure to properly handle missing outer ContentInfo by the PKCS#7 parsing code. An attacker could exploit this vulnerability using a malformed ASN.1-encoded PKCS#7 blob to trigger a NULL pointer dereference.CVSS Base Score: 5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101669 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0292DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing base64 encoded data. An attacker could exploit this vulnerability using specially-crafted base 64 data to corrupt memory and execute arbitrary code on the system and cause a denial of service.CVSS Base Score: 7.5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101670 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-0293DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending a specially-crafted SSLv2 CLIENT-MASTER-KEY message, a remote attacker could exploit this vulnerability to trigger an assertion.CVSS Base Score: 5CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101671 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Real-time Compression Appliance releases:

· 4.1

· 3.9

· 3.8

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for 89E28DE00B780208C4738BFA3895A8309DBA6F3C9B16E54D09B45E894A59C215