Executive Summary
Summary | |
---|---|
Title | Updated OpenSSL packages fix vulnerabilities |
Informations | |||
---|---|---|---|
Name | RHSA-2004:120 | First vendor Publication | 2004-03-17 |
Vendor | RedHat | Last vendor Modification | 2004-03-17 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2004-120.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-476 | NULL Pointer Dereference |
50 % | CWE-125 | Out-of-bounds Read |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:1049 | |||
Oval ID: | oval:org.mitre.oval:def:1049 | ||
Title: | Red Hat OpenSSL Kerberos Handshake Vulnerability | ||
Description: | The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0112 | Version: | 2 |
Platform(s): | Red Hat Linux 9 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:11755 | |||
Oval ID: | oval:org.mitre.oval:def:11755 | ||
Title: | OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. | ||
Description: | OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0081 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:2621 | |||
Oval ID: | oval:org.mitre.oval:def:2621 | ||
Title: | OpenSSL Denial of Service Vulnerabilities | ||
Description: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0079 | Version: | 1 |
Platform(s): | Sun Solaris 8 | Product(s): | Sun Crypto Accelerator 4000 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:5770 | |||
Oval ID: | oval:org.mitre.oval:def:5770 | ||
Title: | Multiple Vendor OpenSSL 0.9.6x, 0.9.7x Null-Pointer DoS Vulnerability | ||
Description: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Family: | ios | Class: | vulnerability |
Reference(s): | CVE-2004-0079 | Version: | 3 |
Platform(s): | Cisco IOS | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:870 | |||
Oval ID: | oval:org.mitre.oval:def:870 | ||
Title: | Red Hat Enterprise 3 OpenSSL do_change_cipher_spec Function Denial of Service | ||
Description: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0079 | Version: | 2 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:871 | |||
Oval ID: | oval:org.mitre.oval:def:871 | ||
Title: | Red Hat Enterprise 3 OpenSSL Improper Unknown Message Handling Vulnerability | ||
Description: | OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0081 | Version: | 2 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:902 | |||
Oval ID: | oval:org.mitre.oval:def:902 | ||
Title: | Red Hat OpenSSL Improper Unknown Message Handling Vulnerability | ||
Description: | OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0081 | Version: | 2 |
Platform(s): | Red Hat Linux 9 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:928 | |||
Oval ID: | oval:org.mitre.oval:def:928 | ||
Title: | Red Hat Enterprise 3 OpenSSL Kerberos Handshake Vulnerability | ||
Description: | The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0112 | Version: | 2 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9580 | |||
Oval ID: | oval:org.mitre.oval:def:9580 | ||
Title: | The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | ||
Description: | The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0112 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:975 | |||
Oval ID: | oval:org.mitre.oval:def:975 | ||
Title: | Red Hat OpenSSL do_change_cipher_spec Function Denial of Service | ||
Description: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0079 | Version: | 2 |
Platform(s): | Red Hat Linux 9 | Product(s): | OpenSSL |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9779 | |||
Oval ID: | oval:org.mitre.oval:def:9779 | ||
Title: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Description: | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0079 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 | |
Hardware | 1 | |
Hardware | 2 | |
Hardware | 2 | |
Hardware | 2 | |
Hardware | 3 | |
Hardware |
| 5 |
Hardware | 1 | |
Hardware | 2 | |
Hardware | 1 | |
Os | 1 | |
Os | 1 | |
Os |
| 8 |
Os | 4 | |
Os | 2 | |
Os | 3 | |
Os | 1 | |
Os | 3 | |
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-05-05 | Name : HP-UX Update for AAA Server HPSBUX01011 File : nvt/gb_hp_ux_HPSBUX01011.nasl |
2009-05-05 | Name : HP-UX Update for Apache HPSBUX01019 File : nvt/gb_hp_ux_HPSBUX01019.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200403-03 (OpenSSL) File : nvt/glsa_200403_03.nasl |
2008-09-04 | Name : FreeBSD Ports: openssl, openssl-beta File : nvt/freebsd_openssl.nasl |
2008-09-04 | Name : FreeBSD Security Advisory (FreeBSD-SA-04:05.openssl.asc) File : nvt/freebsdsa_openssl1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 465-1 (openssl,openssl094,openssl095) File : nvt/deb_465_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2004-077-01 OpenSSL security update File : nvt/esoft_slk_ssa_2004_077_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
4318 | OpenSSL TLS Infinite Loop DoS OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when unknown TLS message types are sent to it, which creates an infinite loop and will result in loss of availability for OpenSSL or the application using it. |
4317 | OpenSSL SSL/TLS Handshake Null Pointer DoS OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when a null-pointer assignment in the do_change_cipher_spec() function is accessed via a carefully crafted SSL/TLS handshake. This might cause some applications that depend on OpenSSL to crash or otherwise lead to a denial of service, and will result in loss of availability for OpenSSL or the application that is depending on it. |
4316 | OpenSSL Kerberos SSL/TLS Handshake DoS The SSL/TLS handshaking code in OpenSSL does not properly check the length of Kerberos tickets during an SSL/TLS handshake when using Kerberos ciphersuites. This allows remote attackers to cause a denial of service by manipulating the parameters during SSL/TLS handshake, causing an out-of-bounds read and crashing OpenSSL. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-01-04 | Name : The remote server is vulnerable to a denial of service attack. File : openssl_0_9_6m_0_9_7d.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_68233cba777411d889ed0020ed76ef5a.nasl - Type : ACT_GATHER_INFO |
2006-07-03 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2005-830.nasl - Type : ACT_GATHER_INFO |
2005-11-04 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2005-830.nasl - Type : ACT_GATHER_INFO |
2005-11-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-829.nasl - Type : ACT_GATHER_INFO |
2005-11-02 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-1042.nasl - Type : ACT_GATHER_INFO |
2005-08-18 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2005-007.nasl - Type : ACT_GATHER_INFO |
2005-07-13 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2004-077-01.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30650.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30649.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30648.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30646.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30645.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30644.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30643.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30642.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30641.nasl - Type : ACT_GATHER_INFO |
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30640.nasl - Type : ACT_GATHER_INFO |
2005-02-16 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30647.nasl - Type : ACT_GATHER_INFO |
2005-02-16 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_30639.nasl - Type : ACT_GATHER_INFO |
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-465.nasl - Type : ACT_GATHER_INFO |
2004-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200403-03.nasl - Type : ACT_GATHER_INFO |
2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-023.nasl - Type : ACT_GATHER_INFO |
2004-07-25 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2004_007.nasl - Type : ACT_GATHER_INFO |
2004-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-095.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd20040503.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote host is using an unsupported version of Mac OS X. File : macosx_version.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-119.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-120.nasl - Type : ACT_GATHER_INFO |
2004-03-17 | Name : The remote service is prone to a denial of service attack. File : openssl_denial.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:48:26 |
|