5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.009 Low
EPSS
Percentile
82.0%
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack.
Author | Note |
---|---|
sbeattie | only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS transactions |
mdeslaur | from oss-security: โIf a Linux distribution picks up the fix for CVE-2012-0884 then they will want to pick up change 22161 at the same time since the fix for the security vulnerability will generally cause symmetric decryption errors when it kicks in and things get very confusing for the end user without change 22161โ A second issue was fixed too, see: http://www.openwall.com/lists/oss-security/2012/05/11/5 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 8.04 | noarch | openssl | <ย 0.9.8g-4ubuntu3.19 | UNKNOWN |
ubuntu | 10.04 | noarch | openssl | <ย 0.9.8k-7ubuntu8.13 | UNKNOWN |
ubuntu | 11.04 | noarch | openssl | <ย 0.9.8o-5ubuntu1.7 | UNKNOWN |
ubuntu | 11.10 | noarch | openssl | <ย 1.0.0e-2ubuntu4.6 | UNKNOWN |
ubuntu | 12.04 | noarch | openssl098 | <ย 0.9.8o-7ubuntu3.2 | UNKNOWN |
ubuntu | 13.10 | noarch | openssl098 | <ย 0.9.8o-7ubuntu3.2.13.10.1 | UNKNOWN |
ubuntu | 14.04 | noarch | openssl098 | <ย 0.9.8o-7ubuntu3.2.14.04.1 | UNKNOWN |