Executive Summary
Summary | |
---|---|
Title | OpenSSL vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1451-1 | First vendor Publication | 2012-05-24 |
Vendor | Ubuntu | Last vendor Modification | 2012-05-24 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Applications using OpenSSL in certain situations could be made to crash or expose sensitive information. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: Ivan Nestlerode discovered that the Cryptographic Message Syntax (CMS) and PKCS #7 implementations in OpenSSL returned early if RSA decryption failed. This could allow an attacker to expose sensitive information via a Million Message Attack (MMA). (CVE-2012-0884) It was discovered that an integer underflow was possible when using TLS 1.1, TLS 1.2, or DTLS with CBC encryption. This could allow a remote attacker to cause a denial of service. (CVE-2012-2333) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: Ubuntu 11.10: Ubuntu 11.04: Ubuntu 10.04 LTS: Ubuntu 8.04 LTS: After a standard system update you need to reboot your computer to make all the necessary changes. References: Package Information: |
Original Source
Url : http://www.ubuntu.com/usn/USN-1451-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17579 | |||
Oval ID: | oval:org.mitre.oval:def:17579 | ||
Title: | USN-1451-1 -- openssl vulnerabilities | ||
Description: | Applications using OpenSSL in certain situations could be made to crash or expose sensitive information. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1451-1 CVE-2012-0884 CVE-2012-2333 | Version: | 7 |
Platform(s): | Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17865 | |||
Oval ID: | oval:org.mitre.oval:def:17865 | ||
Title: | DSA-2475-1 openssl - integer underflow | ||
Description: | It was discovered that openssl did not correctly handle explicit Initialization Vectors for CBC encryption modes, as used in TLS 1.1, 1.2, and DTLS. An incorrect calculation would lead to an integer underflow and incorrect memory access, causing denial of service (application crash.) | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2475-1 CVE-2012-2333 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20725 | |||
Oval ID: | oval:org.mitre.oval:def:20725 | ||
Title: | Multiple OpenSSL vulnerabilities | ||
Description: | Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-2333 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:20753 | |||
Oval ID: | oval:org.mitre.oval:def:20753 | ||
Title: | Multiple OpenSSL vulnerabilities | ||
Description: | The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2012-0884 | Version: | 4 |
Platform(s): | IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21388 | |||
Oval ID: | oval:org.mitre.oval:def:21388 | ||
Title: | RHSA-2012:0699: openssl security and bug fix update (Moderate) | ||
Description: | Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0699-01 CESA-2012:0699 CVE-2012-2333 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23379 | |||
Oval ID: | oval:org.mitre.oval:def:23379 | ||
Title: | DEPRECATED: ELSA-2012:0699: openssl security and bug fix update (Moderate) | ||
Description: | Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0699-01 CVE-2012-2333 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23676 | |||
Oval ID: | oval:org.mitre.oval:def:23676 | ||
Title: | ELSA-2012:0699: openssl security and bug fix update (Moderate) | ||
Description: | Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0699-01 CVE-2012-2333 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24897 | |||
Oval ID: | oval:org.mitre.oval:def:24897 | ||
Title: | OpenSSL vulnerability in before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact | ||
Description: | Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-2333 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | OpenSSL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25052 | |||
Oval ID: | oval:org.mitre.oval:def:25052 | ||
Title: | OpenSSL vulnerability in before 0.9.8u and 1.x before 1.0.0h makes it easier for context-dependent attackers to decrypt data | ||
Description: | The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2012-0884 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 | Product(s): | OpenSSL |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27609 | |||
Oval ID: | oval:org.mitre.oval:def:27609 | ||
Title: | DEPRECATED: ELSA-2012-0699 -- openssl security and bug fix update (moderate) | ||
Description: | [1.0.0-20.5] - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - properly initialize tkeylen in the CVE-2012-0884 fix | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0699 CVE-2012-2333 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | openssl |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-30 | Name : Fedora Update for openssl FEDORA-2012-4630 File : nvt/gb_fedora_2012_4630_openssl_fc17.nasl |
2012-08-30 | Name : Fedora Update for openssl FEDORA-2012-7939 File : nvt/gb_fedora_2012_7939_openssl_fc17.nasl |
2012-08-10 | Name : FreeBSD Ports: FreeBSD File : nvt/freebsd_FreeBSD19.nasl |
2012-08-03 | Name : Mandriva Update for openssl MDVSA-2012:073 (openssl) File : nvt/gb_mandriva_MDVSA_2012_073.nasl |
2012-08-03 | Name : Mandriva Update for openssl MDVSA-2012:038 (openssl) File : nvt/gb_mandriva_MDVSA_2012_038.nasl |
2012-07-30 | Name : CentOS Update for openssl CESA-2012:0426 centos5 File : nvt/gb_CESA-2012_0426_openssl_centos5.nasl |
2012-07-30 | Name : CentOS Update for openssl CESA-2012:0426 centos6 File : nvt/gb_CESA-2012_0426_openssl_centos6.nasl |
2012-07-30 | Name : CentOS Update for openssl CESA-2012:0699 centos5 File : nvt/gb_CESA-2012_0699_openssl_centos5.nasl |
2012-07-30 | Name : CentOS Update for openssl CESA-2012:0699 centos6 File : nvt/gb_CESA-2012_0699_openssl_centos6.nasl |
2012-06-04 | Name : Fedora Update for openssl FEDORA-2012-8024 File : nvt/gb_fedora_2012_8024_openssl_fc15.nasl |
2012-06-04 | Name : Fedora Update for openssl FEDORA-2012-8014 File : nvt/gb_fedora_2012_8014_openssl_fc16.nasl |
2012-06-01 | Name : RedHat Update for openssl RHSA-2012:0699-01 File : nvt/gb_RHSA-2012_0699-01_openssl.nasl |
2012-05-31 | Name : Debian Security Advisory DSA 2475-1 (openssl) File : nvt/deb_2475_1.nasl |
2012-05-31 | Name : FreeBSD Ports: openssl File : nvt/freebsd_openssl9.nasl |
2012-05-25 | Name : Ubuntu Update for openssl USN-1451-1 File : nvt/gb_ubuntu_USN_1451_1.nasl |
2012-05-11 | Name : Fedora Update for openssl FEDORA-2012-6395 File : nvt/gb_fedora_2012_6395_openssl_fc15.nasl |
2012-04-30 | Name : Fedora Update for openssl FEDORA-2012-6403 File : nvt/gb_fedora_2012_6403_openssl_fc16.nasl |
2012-04-30 | Name : FreeBSD Ports: openssl File : nvt/freebsd_openssl8.nasl |
2012-04-30 | Name : Debian Security Advisory DSA 2454-1 (openssl) File : nvt/deb_2454_1.nasl |
2012-04-13 | Name : Fedora Update for openssl FEDORA-2012-4659 File : nvt/gb_fedora_2012_4659_openssl_fc15.nasl |
2012-04-11 | Name : Fedora Update for openssl FEDORA-2012-4665 File : nvt/gb_fedora_2012_4665_openssl_fc16.nasl |
2012-03-29 | Name : RedHat Update for openssl RHSA-2012:0426-01 File : nvt/gb_RHSA-2012_0426-01_openssl.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_openssl_20120814.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_openssl_20120523.nasl - Type : ACT_GATHER_INFO |
2014-12-22 | Name : The remote device is affected by multiple vulnerabilities. File : juniper_space_jsa10659.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0008.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0007.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0488.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0531.nasl - Type : ACT_GATHER_INFO |
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15401.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-153.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-308.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-242.nasl - Type : ACT_GATHER_INFO |
2014-04-16 | Name : The remote AIX host is running a vulnerable version of OpenSSL. File : aix_openssl_advisory4.nasl - Type : ACT_GATHER_INFO |
2013-12-03 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201312-03.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-85.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-62.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0699.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0426.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_10_8_4.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO |
2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopenssl-devel-120524.nasl - Type : ACT_GATHER_INFO |
2012-11-26 | Name : The remote Fedora host is missing a security update. File : fedora_2012-18035.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120529_openssl_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120327_openssl_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-06-28 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_2ae114dec06411e1b5e0000c299b62e1.nasl - Type : ACT_GATHER_INFO |
2012-06-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8014.nasl - Type : ACT_GATHER_INFO |
2012-06-04 | Name : The remote Fedora host is missing a security update. File : fedora_2012-8024.nasl - Type : ACT_GATHER_INFO |
2012-05-31 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_openssl-8143.nasl - Type : ACT_GATHER_INFO |
2012-05-30 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0699.nasl - Type : ACT_GATHER_INFO |
2012-05-30 | Name : The remote Fedora host is missing a security update. File : fedora_2012-7939.nasl - Type : ACT_GATHER_INFO |
2012-05-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0699.nasl - Type : ACT_GATHER_INFO |
2012-05-29 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1451-1.nasl - Type : ACT_GATHER_INFO |
2012-05-18 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2475.nasl - Type : ACT_GATHER_INFO |
2012-05-16 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_dba5d1c99f2911e1b511003067c2616f.nasl - Type : ACT_GATHER_INFO |
2012-05-14 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-073.nasl - Type : ACT_GATHER_INFO |
2012-05-11 | Name : The remote host may be affected by a denial of service vulnerability. File : openssl_0_9_8x.nasl - Type : ACT_GATHER_INFO |
2012-05-11 | Name : The remote host may be affected by a denial of service vulnerability. File : openssl_1_0_1c.nasl - Type : ACT_GATHER_INFO |
2012-05-11 | Name : The remote host may be affected by a denial of service vulnerability. File : openssl_1_0_0j.nasl - Type : ACT_GATHER_INFO |
2012-04-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2454.nasl - Type : ACT_GATHER_INFO |
2012-04-12 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4659.nasl - Type : ACT_GATHER_INFO |
2012-04-12 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4630.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopenssl-devel-120328.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libopenssl-devel-120327.nasl - Type : ACT_GATHER_INFO |
2012-04-11 | Name : The remote Fedora host is missing a security update. File : fedora_2012-4665.nasl - Type : ACT_GATHER_INFO |
2012-04-02 | Name : The remote host may be affected by multiple vulnerabilities. File : openssl_0_9_8u.nasl - Type : ACT_GATHER_INFO |
2012-04-02 | Name : The remote host may be affected by multiple vulnerabilities. File : openssl_1_0_0h.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0426.nasl - Type : ACT_GATHER_INFO |
2012-03-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0426.nasl - Type : ACT_GATHER_INFO |
2012-03-27 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-038.nasl - Type : ACT_GATHER_INFO |
2012-03-16 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_60eb344e6eb111e18ad700e0815b8da8.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:00:08 |
|