Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-0884
HistoryMar 12, 2012 - 12:00 a.m.

CVE-2012-0884

2012-03-1200:00:00
ubuntu.com
ubuntu.com
17

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.5%

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack.

Notes

Author Note
sbeattie only affects CMS, PKCS #7, or S/MIME decryption, not SSL/TLS transactions
mdeslaur from oss-security: “If a Linux distribution picks up the fix for CVE-2012-0884 then they will want to pick up change 22161 at the same time since the fix for the security vulnerability will generally cause symmetric decryption errors when it kicks in and things get very confusing for the end user without change 22161” A second issue was fixed too, see: http://www.openwall.com/lists/oss-security/2012/05/11/5
OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchopenssl< 0.9.8g-4ubuntu3.19UNKNOWN
ubuntu10.04noarchopenssl< 0.9.8k-7ubuntu8.13UNKNOWN
ubuntu11.04noarchopenssl< 0.9.8o-5ubuntu1.7UNKNOWN
ubuntu11.10noarchopenssl< 1.0.0e-2ubuntu4.6UNKNOWN
ubuntu12.04noarchopenssl098< 0.9.8o-7ubuntu3.2UNKNOWN
ubuntu13.10noarchopenssl098< 0.9.8o-7ubuntu3.2.13.10.1UNKNOWN
ubuntu14.04noarchopenssl098< 0.9.8o-7ubuntu3.2.14.04.1UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.5%