6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.948 High
EPSS
Percentile
99.3%
Issue Overview:
A use-after-free flaw was found in the way OpenSSL importrf certain Elliptic Curve private keys. An attacker could use this flaw to crash OpenSSL, if a specially-crafted certificate was imported. (CVE-2015-0209)
A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages. A malicious client could send a specially crafted SSLv2 CLIENT-MASTER-KEY message that would cause an OpenSSL server that both supports SSLv2 and enables EXPORT-grade cipher suites to crash. (CVE-2015-0293)
An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash. (CVE-2015-0287)
A flaw was found in the the ASN (Abstract Syntax Notation) parsing code of OpenSSL. An attacker could present a specially crafted certificate, which when verified by an OpenSSL client or server could cause it to crash. (CVE-2015-0286)
A null-pointer dereference was found in the way OpenSSL handled certain PKCS#7 blobs. An attacker could cause OpenSSL to crash, when applications verify, decrypt or parsed these ASN.1 encoded PKCS#7 blobs. OpenSSL clients and servers are not affected. (CVE-2015-0289)
A NULL pointer dereference flaw was found in OpenSSL’s x509 certificate handling implementation. A remote attacker could use this flaw to crash an OpenSSL server using an invalid certificate key. (CVE-2015-0288)
Affected Packages:
openssl
Issue Correction:
Run yum update openssl to update your system.
New Packages:
i686:
openssl-debuginfo-1.0.1k-1.84.amzn1.i686
openssl-perl-1.0.1k-1.84.amzn1.i686
openssl-1.0.1k-1.84.amzn1.i686
openssl-devel-1.0.1k-1.84.amzn1.i686
openssl-static-1.0.1k-1.84.amzn1.i686
src:
openssl-1.0.1k-1.84.amzn1.src
x86_64:
openssl-static-1.0.1k-1.84.amzn1.x86_64
openssl-perl-1.0.1k-1.84.amzn1.x86_64
openssl-devel-1.0.1k-1.84.amzn1.x86_64
openssl-1.0.1k-1.84.amzn1.x86_64
openssl-debuginfo-1.0.1k-1.84.amzn1.x86_64
Red Hat: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293
Mitre: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | openssl-debuginfo | < 1.0.1k-1.84.amzn1 | openssl-debuginfo-1.0.1k-1.84.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-perl | < 1.0.1k-1.84.amzn1 | openssl-perl-1.0.1k-1.84.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl | < 1.0.1k-1.84.amzn1 | openssl-1.0.1k-1.84.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-devel | < 1.0.1k-1.84.amzn1 | openssl-devel-1.0.1k-1.84.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | openssl-static | < 1.0.1k-1.84.amzn1 | openssl-static-1.0.1k-1.84.amzn1.i686.rpm |
Amazon Linux | 1 | x86_64 | openssl-static | < 1.0.1k-1.84.amzn1 | openssl-static-1.0.1k-1.84.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-perl | < 1.0.1k-1.84.amzn1 | openssl-perl-1.0.1k-1.84.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-devel | < 1.0.1k-1.84.amzn1 | openssl-devel-1.0.1k-1.84.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl | < 1.0.1k-1.84.amzn1 | openssl-1.0.1k-1.84.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | openssl-debuginfo | < 1.0.1k-1.84.amzn1 | openssl-debuginfo-1.0.1k-1.84.amzn1.x86_64.rpm |