Published: 19/03/2015 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

The PKCS#7 implementation in OpenSSL prior to 0.9.8zf, 1.0.0 prior to 1.0.0r, 1.0.1 prior to 1.0.1m, and 1.0.2 prior to 1.0.2a does not properly handle a lack of outer ContentInfo, which allows malicious users to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openssl openssl 1.0.1j
openssl openssl 1.0.0n
openssl openssl 1.0.0c
openssl openssl 1.0.0i
openssl openssl 1.0.1h
openssl openssl 1.0.0m
openssl openssl 1.0.1c
openssl openssl 1.0.1g
openssl openssl 1.0.0h
openssl openssl 1.0.0e
openssl openssl 1.0.0f
openssl openssl 1.0.0d
openssl openssl 1.0.0j
openssl openssl 1.0.0p
openssl openssl 1.0.1a
openssl openssl 1.0.0o
openssl openssl 1.0.1d
openssl openssl 1.0.0k
openssl openssl 1.0.1k
openssl openssl 1.0.0
openssl openssl 1.0.1b
openssl openssl 1.0.1e
openssl openssl 1.0.1l
openssl openssl 1.0.1f
openssl openssl 1.0.0l
openssl openssl 1.0.2
openssl openssl 1.0.0a
openssl openssl 1.0.0q
openssl openssl 1.0.1i
openssl openssl 1.0.0b
openssl openssl 1.0.1
openssl openssl 1.0.0g
openssl openssl

Several security issues were fixed in OpenSSL ...

A use-after-free flaw was found in the way OpenSSL importrf certain Elliptic Curve private keys An attacker could use this flaw to crash OpenSSL, if a specially-crafted certificate was imported (CVE-2015-0209) A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages A malicious client could send a specially crafted SS ...

A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash TLS/SSL clients and servers using OpenSSL were not affected by this flaw ...

Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulner ...

Nessus is potentially impacted by seven vulnerabilities in OpenSSL that were recently disclosed and fixed OpenSSL contains an invalid read flaw in the ASN1_TYPE_cmp() function in crypto/asn1/a_typec that is triggered when an attempt is made to compare ASN1 boolean types This may allow a context-dependent attacker to crash an application linked ...

NVD-CWE-Other https://www.openssl.org/news/secadv_20150319.txt https://bugzilla.redhat.com/show_bug.cgi?id=1202384 http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html http://www.debian.org/security/2015/dsa-3197 http://lists.opensuse.org/opensuse-updates/2015-03/msg00062.html https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.asc http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.html http://www.ubuntu.com/usn/USN-2537-1 http://www.securitytracker.com/id/1031929 http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html http://rhn.redhat.com/errata/RHSA-2015-0716.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:063 http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 http://rhn.redhat.com/errata/RHSA-2015-0752.html http://rhn.redhat.com/errata/RHSA-2015-0715.html http://marc.info/?l=bugtraq&m=142841429220765&w=2 http://rhn.redhat.com/errata/RHSA-2015-0800.html https://access.redhat.com/articles/1384453 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.html http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html http://support.apple.com/kb/HT204942 http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html https://bto.bluecoat.com/security-advisory/sa92 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://marc.info/?l=bugtraq&m=144050297101809&w=2 http://marc.info/?l=bugtraq&m=143213830203296&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html http://www.fortiguard.com/advisory/2015-03-24-openssl-vulnerabilities-march-2015 https://security.gentoo.org/glsa/201503-11 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680 http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html https://kc.mcafee.com/corporate/index?page=content&id=SB10110 http://www.securityfocus.com/bid/73231 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c0334c2c92dd1bc3ad8138ba6e74006c3631b0f9 https://usn.ubuntu.com/2537-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-0289 https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21

CVE-2015-0289

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect