Executive Summary
Summary | |
---|---|
Title | openssl security update |
Informations | |||
---|---|---|---|
Name | RHSA-2012:0522 | First vendor Publication | 2012-04-25 |
Vendor | RedHat | Last vendor Modification | 2012-04-25 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 3 and 4 Extended Life Cycle Support; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 3 ELS) - i386 Red Hat Enterprise Linux AS (v. 4 ELS) - i386, ia64, x86_64 Red Hat Enterprise Linux ES (v. 3 ELS) - i386 Red Hat Enterprise Linux ES (v. 4 ELS) - i386, x86_64 Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.0) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server EUS (v. 6.1) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.0) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional EUS (v. 6.1) - i386, ppc64, s390x, x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code. (CVE-2012-2110) All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 814185 - CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2012-0522.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17928 | |||
Oval ID: | oval:org.mitre.oval:def:17928 | ||
Title: | USN-1424-1 -- openssl vulnerabilities | ||
Description: | An application using OpenSSL could be made to crash or run programs if it opened a specially crafted file. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1424-1 CVE-2006-7250 CVE-2012-1165 CVE-2012-2110 | Version: | 7 |
Platform(s): | Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19831 | |||
Oval ID: | oval:org.mitre.oval:def:19831 | ||
Title: | VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues. | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2110 | Version: | 4 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20716 | |||
Oval ID: | oval:org.mitre.oval:def:20716 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2110 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21032 | |||
Oval ID: | oval:org.mitre.oval:def:21032 | ||
Title: | Multiple OpenSSL vulnerabilities | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2110 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21366 | |||
Oval ID: | oval:org.mitre.oval:def:21366 | ||
Title: | RHSA-2012:0518: openssl security update (Important) | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0518-02 CESA-2012:0518 CVE-2012-2110 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | openssl openssl097a openssl098e |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23304 | |||
Oval ID: | oval:org.mitre.oval:def:23304 | ||
Title: | DEPRECATED: ELSA-2012:0518: openssl security update (Important) | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0518-02 CVE-2012-2110 | Version: | 7 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | openssl openssl097a openssl098e |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23704 | |||
Oval ID: | oval:org.mitre.oval:def:23704 | ||
Title: | ELSA-2012:0518: openssl security update (Important) | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0518-02 CVE-2012-2110 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | openssl openssl097a openssl098e |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24750 | |||
Oval ID: | oval:org.mitre.oval:def:24750 | ||
Title: | OpenSSL vulnerability in 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a, allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact | ||
Description: | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-2110 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | OpenSSL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27811 | |||
Oval ID: | oval:org.mitre.oval:def:27811 | ||
Title: | DEPRECATED: ELSA-2012-0518 -- openssl security update (important) | ||
Description: | openssl: [1.0.0-20.4] - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185) openssl098e: [0.9.8e-17.el6_2.2] - Updated the description [0.9.8e-17.2] - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0518 CVE-2012-2110 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | openssl openssl097a openssl098e |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2012-04-19 | OpenSSL ASN1 BIO Memory Corruption Vulnerability |
OpenVAS Exploits
Date | Description |
---|---|
2012-08-31 | Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries. File : nvt/gb_VMSA-2012-0013.nasl |
2012-08-30 | Name : Fedora Update for openssl FEDORA-2012-6343 File : nvt/gb_fedora_2012_6343_openssl_fc17.nasl |
2012-08-10 | Name : FreeBSD Ports: FreeBSD File : nvt/freebsd_FreeBSD19.nasl |
2012-08-03 | Name : Mandriva Update for openssl0.9.8 MDVSA-2012:064 (openssl0.9.8) File : nvt/gb_mandriva_MDVSA_2012_064.nasl |
2012-08-03 | Name : Mandriva Update for openssl MDVSA-2012:060 (openssl) File : nvt/gb_mandriva_MDVSA_2012_060.nasl |
2012-07-30 | Name : CentOS Update for openssl097a CESA-2012:0518 centos5 File : nvt/gb_CESA-2012_0518_openssl097a_centos5.nasl |
2012-07-30 | Name : CentOS Update for openssl098e CESA-2012:0518 centos6 File : nvt/gb_CESA-2012_0518_openssl098e_centos6.nasl |
2012-06-04 | Name : Fedora Update for openssl FEDORA-2012-8024 File : nvt/gb_fedora_2012_8024_openssl_fc15.nasl |
2012-06-04 | Name : Fedora Update for openssl FEDORA-2012-8014 File : nvt/gb_fedora_2012_8014_openssl_fc16.nasl |
2012-05-11 | Name : Fedora Update for openssl FEDORA-2012-6395 File : nvt/gb_fedora_2012_6395_openssl_fc15.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2454-2 (openssl) File : nvt/deb_2454_2.nasl |
2012-04-30 | Name : Fedora Update for openssl FEDORA-2012-6403 File : nvt/gb_fedora_2012_6403_openssl_fc16.nasl |
2012-04-30 | Name : FreeBSD Ports: openssl File : nvt/freebsd_openssl7.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2454-1 (openssl) File : nvt/deb_2454_1.nasl |
2012-04-26 | Name : RedHat Update for openssl RHSA-2012:0518-01 File : nvt/gb_RHSA-2012_0518-01_openssl.nasl |
2012-04-26 | Name : Ubuntu Update for openssl USN-1428-1 File : nvt/gb_ubuntu_USN_1428_1.nasl |
2012-04-20 | Name : Ubuntu Update for openssl USN-1424-1 File : nvt/gb_ubuntu_USN_1424_1.nasl |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2013-02-28 | IAVM : 2013-A-0056 - VMware ESXi 3.5 and ESX 3.5 Memory Corruption Vulnerability Severity : Category I - VMSKEY : V0037066 |
2012-09-27 | IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0 Severity : Category I - VMSKEY : V0033884 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_esx_VMSA-2013-0003_remote.nasl - Type : ACT_GATHER_INFO |
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0013_remote.nasl - Type : ACT_GATHER_INFO |
2015-04-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16285.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_openssl_20120626.nasl - Type : ACT_GATHER_INFO |
2014-12-22 | Name : The remote device is affected by multiple vulnerabilities. File : juniper_space_jsa10659.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0008.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0007.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-153.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-308.nasl - Type : ACT_GATHER_INFO |
2014-04-16 | Name : The remote AIX host is running a vulnerable version of OpenSSL. File : aix_openssl_advisory4.nasl - Type : ACT_GATHER_INFO |
2013-12-03 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201312-03.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-73.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-72.nasl - Type : ACT_GATHER_INFO |
2013-07-23 | Name : The remote web server is affected by multiple vulnerabilities. File : hpsmh_7_2_1_0.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-2011.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0518.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_4.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO |
2013-02-22 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2013-0003.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_compat-openssl097g-120830.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopenssl-devel-120503.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0522.nasl - Type : ACT_GATHER_INFO |
2012-11-26 | Name : The remote Fedora host is missing a security update. File : fedora_2012-18035.nasl - Type : ACT_GATHER_INFO |
2012-09-12 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_compat-openssl097g-8262.nasl - Type : ACT_GATHER_INFO |
2012-08-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120424_openssl_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-07-17 | Name : The remote router has a memory corruption vulnerability. File : juniper_psn-2012-07-645.nasl - Type : ACT_GATHER_INFO |
2012-06-28 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_2ae114dec06411e1b5e0000c299b62e1.nasl - Type : ACT_GATHER_INFO |
2012-05-23 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_openssl-8112.nasl - Type : ACT_GATHER_INFO |
2012-05-11 | Name : The remote Fedora host is missing a security update. File : fedora_2012-6395.nasl - Type : ACT_GATHER_INFO |
2012-04-30 | Name : The remote Fedora host is missing a security update. File : fedora_2012-6403.nasl - Type : ACT_GATHER_INFO |
2012-04-27 | Name : The remote Fedora host is missing a security update. File : fedora_2012-6343.nasl - Type : ACT_GATHER_INFO |
2012-04-25 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1428-1.nasl - Type : ACT_GATHER_INFO |
2012-04-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0518.nasl - Type : ACT_GATHER_INFO |
2012-04-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0518.nasl - Type : ACT_GATHER_INFO |
2012-04-25 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-064.nasl - Type : ACT_GATHER_INFO |
2012-04-24 | Name : The remote host may be affected by a memory corruption vulnerability. File : openssl_0_9_8v.nasl - Type : ACT_GATHER_INFO |
2012-04-23 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_7184f92e8bb811e18d7b003067b2972c.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1424-1.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-060.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2454.nasl - Type : ACT_GATHER_INFO |
2012-04-19 | Name : The remote host may be affected by a memory corruption vulnerability. File : openssl_1_0_1a.nasl - Type : ACT_GATHER_INFO |
2012-04-19 | Name : The remote host may be affected by a memory corruption vulnerability. File : openssl_1_0_0i.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:55:53 |
|