The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote malicious users to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
oracle supply chain products suite 6.1.2.2 |
||
oracle supply chain products suite 6.2.0 |
||
oracle supply chain products suite 6.1.3.0 |
||
oracle jd edwards enterpriseone tools 9.2 |
||
oracle jd edwards enterpriseone tools 9.1 |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.2c |
||
openssl openssl 1.0.1n |
||
openssl openssl 1.0.1o |
||
oracle opus 10g ethernet switch family |
Logjam in patch pipeline cleared at last
HP Enterprise has popped into its Tardis, and gone back in time to patch OpenSSL bugs dating back to 2014 – including the infamous Logjam bug. The bugs are in various network products: Intelligent Management Center (iMC), the VCX unified communications products, and the Comware network operating system. The company's notice cites Common Vulnerability and Exposure (CVE) advisories CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, and CVE-2015-1793. Most o...