Executive Summary
Summary | |
---|---|
Title | HP-UX Running OpenSSL, Remote Denial of Service (DoS) |
Informations | |||
---|---|---|---|
Name | HPSBUX02689 SSRT100494 | First vendor Publication | 2011-07-06 |
Vendor | HP | Last vendor Modification | 2011-07-27 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A potential security vulnerability has been identified with HP-UX OpenSSL. This vulnerability could be exploited remotely to create a Denial of Service (DoS). |
Original Source
Url : http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02896506 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12932 | |||
Oval ID: | oval:org.mitre.oval:def:12932 | ||
Title: | DSA-2162-1 openssl -- invalid memory access | ||
Description: | Neel Mehta discovered that an incorrectly formatted ClientHello handshake message could cause OpenSSL to parse past the end of the message. This allows an attacker to crash an application using OpenSSL by triggering an invalid memory access. Additionally, some applications may be vulnerable to expose contents of a parsed OCSP nonce extension. Packages in the oldstable distribution are not affected by this problem. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2162-1 CVE-2011-0014 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | openssl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:13649 | |||
Oval ID: | oval:org.mitre.oval:def:13649 | ||
Title: | USN-1064-1 -- openssl vulnerability | ||
Description: | Neel Mehta discovered that incorrectly formatted ClientHello handshake messages could cause OpenSSL to parse past the end of the message. This could allow a remote attacker to cause a crash and denial of service by triggering invalid memory accesses. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1064-1 CVE-2011-0014 | Version: | 5 |
Platform(s): | Ubuntu 10.10 Ubuntu 10.04 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18985 | |||
Oval ID: | oval:org.mitre.oval:def:18985 | ||
Title: | OpenSSL vulnerability 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c in VisualSVN Server (CVE-2011-0014) | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-0014 | Version: | 5 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 | Product(s): | VisualSVN Server |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20568 | |||
Oval ID: | oval:org.mitre.oval:def:20568 | ||
Title: | Multiple OpenSSL vulnerabilities | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-0014 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20732 | |||
Oval ID: | oval:org.mitre.oval:def:20732 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-0014 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20975 | |||
Oval ID: | oval:org.mitre.oval:def:20975 | ||
Title: | RHSA-2011:0677: openssl security, bug fix, and enhancement update (Moderate) | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0677-01 CVE-2011-0014 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23416 | |||
Oval ID: | oval:org.mitre.oval:def:23416 | ||
Title: | ELSA-2011:0677: openssl security, bug fix, and enhancement update (Moderate) | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0677-01 CVE-2011-0014 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24643 | |||
Oval ID: | oval:org.mitre.oval:def:24643 | ||
Title: | Vulnerability in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c, allows remote attackers to cause a denial of service (crash) | ||
Description: | ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2011-0014 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | OpenSSL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28024 | |||
Oval ID: | oval:org.mitre.oval:def:28024 | ||
Title: | DEPRECATED: ELSA-2011-0677 -- openssl security, bug fix, and enhancement update (moderate) | ||
Description: | [1.0.0-10] - fix OCSP stapling vulnerability - CVE-2011-0014 (#676063) - correct the README.FIPS document [1.0.0-8] - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 key generation method - use FIPS-186-3 method for DSA parameter generation - add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable to allow using MD5 when the system is in the maintenance state even if the /proc fips flag is on - make openssl pkcs12 command work by default in the FIPS mode [1.0.0-7] - listen on ipv6 wildcard in s_server so we accept connections from both ipv4 and ipv6 (#601612) - fix openssl speed command so it can be used in the FIPS mode with FIPS allowed ciphers (#619762) [1.0.0-6] - disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864 (#649304) [1.0.0-5] - fix race in extension parsing code - CVE-2010-3864 (#649304) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0677 CVE-2011-0014 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-31 | Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries. File : nvt/gb_VMSA-2012-0013.nasl |
2012-06-06 | Name : RedHat Update for openssl RHSA-2011:0677-01 File : nvt/gb_RHSA-2011_0677-01_openssl.nasl |
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-01 (openssl) File : nvt/glsa_201110_01.nasl |
2011-09-12 | Name : Fedora Update for openssl FEDORA-2011-12281 File : nvt/gb_fedora_2011_12281_openssl_fc14.nasl |
2011-08-19 | Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-004) File : nvt/secpod_macosx_su11-004.nasl |
2011-05-05 | Name : Fedora Update for mingw32-openssl FEDORA-2011-5865 File : nvt/gb_fedora_2011_5865_mingw32-openssl_fc14.nasl |
2011-05-05 | Name : Fedora Update for mingw32-openssl FEDORA-2011-5876 File : nvt/gb_fedora_2011_5876_mingw32-openssl_fc13.nasl |
2011-03-24 | Name : Fedora Update for openssl FEDORA-2011-1255 File : nvt/gb_fedora_2011_1255_openssl_fc13.nasl |
2011-03-07 | Name : Debian Security Advisory DSA 2162-1 (openssl) File : nvt/deb_2162_1.nasl |
2011-02-18 | Name : Mandriva Update for openssl MDVSA-2011:028 (openssl) File : nvt/gb_mandriva_MDVSA_2011_028.nasl |
2011-02-18 | Name : Ubuntu Update for openssl vulnerability USN-1064-1 File : nvt/gb_ubuntu_USN_1064_1.nasl |
2011-02-16 | Name : Fedora Update for openssl FEDORA-2011-1273 File : nvt/gb_fedora_2011_1273_openssl_fc14.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2011-041-04 openssl File : nvt/esoft_slk_ssa_2011_041_04.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70847 | OpenSSL ClientHello Handshake Message Parsing Invalid Memory Access OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs while parsing malformed ClientHello handshake messages, which may be exploited to trigger an invalid memory access with a crafted ClientHello handshake message. This may allow a remote attacker to cause a denial of service. Certain applications which use SSL may also allow the disclosure of the contents of parsed OCSP extensions. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-09-27 | IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0 Severity : Category I - VMSKEY : V0033884 |
2012-09-13 | IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0033794 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0013_remote.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libopenssl-devel-110210.nasl - Type : ACT_GATHER_INFO |
2014-04-16 | Name : The remote AIX host is running a vulnerable version of OpenSSL. File : aix_openssl_advisory2.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote VMware ESXi 5.0 host is affected by multiple vulnerabilities. File : vmware_esxi_5_0_build_912577_remote.nasl - Type : ACT_GATHER_INFO |
2012-08-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110519_openssl_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote web server is affected by multiple vulnerabilities. File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO |
2011-10-10 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-01.nasl - Type : ACT_GATHER_INFO |
2011-06-24 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_6_8.nasl - Type : ACT_GATHER_INFO |
2011-05-20 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0677.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_libopenssl-devel-110210.nasl - Type : ACT_GATHER_INFO |
2011-05-02 | Name : The remote Fedora host is missing a security update. File : fedora_2011-5865.nasl - Type : ACT_GATHER_INFO |
2011-05-02 | Name : The remote Fedora host is missing a security update. File : fedora_2011-5876.nasl - Type : ACT_GATHER_INFO |
2011-04-29 | Name : The remote Fedora host is missing a security update. File : fedora_2011-5878.nasl - Type : ACT_GATHER_INFO |
2011-03-27 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopenssl-devel-110210.nasl - Type : ACT_GATHER_INFO |
2011-03-18 | Name : The remote Fedora host is missing a security update. File : fedora_2011-1255.nasl - Type : ACT_GATHER_INFO |
2011-02-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-028.nasl - Type : ACT_GATHER_INFO |
2011-02-16 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1064-1.nasl - Type : ACT_GATHER_INFO |
2011-02-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2162.nasl - Type : ACT_GATHER_INFO |
2011-02-15 | Name : The remote Fedora host is missing a security update. File : fedora_2011-1273.nasl - Type : ACT_GATHER_INFO |
2011-02-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-041-04.nasl - Type : ACT_GATHER_INFO |
2011-02-09 | Name : The remote web server has an SSL-related denial of service vulnerability. File : openssl_1_0_0d.nasl - Type : ACT_GATHER_INFO |