Published: 12/08/2002 Updated: 10/09/2008
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 505
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote malicious users to cause a denial of service via invalid encodings.

Affected Products

Vendor Product Versions
OpensslOpenssl0.9.1c, 0.9.2b, 0.9.3, 0.9.4, 0.9.5, 0.9.5a, 0.9.6, 0.9.6a, 0.9.6b, 0.9.6c, 0.9.6d, 0.9.7
OracleApplication Server*, 1.0.2,,
OracleCorporate Time Outlook Connector3.1, 3.1.1, 3.1.2, 3.3
OracleHttp Server9.0.1, 9.2.0
AppleMac Os X10.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5

Vendor Advisories

The OpenSSL development team has announced that a security audit by AL Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code Additionally, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan CAN-2002-0655 ...


source: wwwsecurityfocuscom/bid/8732/info Multiple vulnerabilities were reported in the ASN1 parsing code in OpenSSL Attackers could exploit these issues to cause a denial of service or to execute arbitrary code /* Brute forcer for OpenSSL ASN1 parsing bugs (<=096j <=097b) * written by Bram Matthys (Syzop) on Oct 9 2003 ...