5
CVSSv2

CVE-2015-3195

Published: 06/12/2015 Updated: 19/01/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL prior to 0.9.8zh, 1.0.0 prior to 1.0.0t, 1.0.1 prior to 1.0.1q, and 1.0.2 prior to 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote malicious users to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple mac os x

oracle api gateway 11.1.2.3.0

oracle api gateway 11.1.2.4.0

oracle communications webrtc session controller 7.0

oracle communications webrtc session controller 7.1

oracle communications webrtc session controller 7.2

oracle exalogic infrastructure 1.0

oracle exalogic infrastructure 2.0

oracle http server 11.5.10.2

oracle life sciences data hub 2.1

oracle sun ray software 11.1

oracle transportation management 6.1

oracle transportation management 6.2

oracle vm server 3.2

oracle vm virtualbox

oracle integrated lights out manager firmware

oracle linux 5

oracle linux 6

oracle linux 7

oracle solaris 10

oracle solaris 11.3

openssl openssl

redhat enterprise linux desktop 5.0

redhat enterprise linux desktop 6.0

redhat enterprise linux desktop 7.0

redhat enterprise linux server 5.0

redhat enterprise linux server 6.0

redhat enterprise linux server 7.0

redhat enterprise linux server aus 7.2

redhat enterprise linux server aus 7.3

redhat enterprise linux server aus 7.4

redhat enterprise linux server aus 7.6

redhat enterprise linux server aus 7.7

redhat enterprise linux server tus 7.2

redhat enterprise linux server tus 7.3

redhat enterprise linux server tus 7.6

redhat enterprise linux server tus 7.7

redhat enterprise linux workstation 5.0

redhat enterprise linux workstation 6.0

redhat enterprise linux workstation 7.0

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 15.04

canonical ubuntu linux 15.10

debian debian linux 7.0

debian debian linux 8.0

opensuse leap 42.1

opensuse opensuse 11.4

opensuse opensuse 13.1

opensuse opensuse 13.2

suse linux enterprise server 10

fedoraproject fedora 22

Vendor Advisories

Synopsis Moderate: openssl security update Type/Severity Security Advisory: Moderate Topic Updated openssl packages that fix one security issue are now availablefor Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having Moderate securityimpact A Common Vulnerability Scoring Sys ...
Synopsis Moderate: openssl security update Type/Severity Security Advisory: Moderate Topic Updated openssl packages that fix three security issues are now availablefor Red Hat Enterprise Linux 6 and 7Red Hat Product Security has rated this update as having Moderate securityimpact Common Vulnerability Scor ...
Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2015-3194 Loic Jonas Etienne of Qnective AG discovered that the signature verification routines will crash with a NULL pointer dereference if presented with an A ...
A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash ...
Several security issues were fixed in OpenSSL ...
A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm A remote attacked could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication (CVE-2015-3194 ) A memory leak vulnerability was found in the way OpenSSL parsed P ...
SecurityCenter and the Tenable Appliance are potentially impacted by vulnerabilities in OpenSSL that were recently disclosed and fixed Note that due to the time involved in doing a full analysis of the issue, Tenable has opted to patch the included version of OpenSSL as a precaution, and to save time CVE-2015-3194 - crypto/rsa/rsa_amethc in Ope ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP 2423 Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services httpd 2423 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systemsRed Hat Product Security has rated this release as ...
Support My AccountForcepoint Support Site Guest User (Logout)Community My Account Visitor(login)Community CVE-2015-3194, 3195, 3196 -- Security Vulnerabilities Article Number: 000008483 Products: Email Securit ...
On December 3, 2015, the OpenSSL Project released a security advisory detailing five vulnerabilities Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition  This advisory will be updated as add ...
<!-- Start - Changes for Security Advisory Channel --> Security Advisory ID SYMSA1338 Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score: Legacy ID 10 Dec 2015 Open Medium CVSS v2: 50 SA1 ...
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available To learn more about Apple Product Security, see the Apple Product Security website For information about the Apple Product Security PGP Key, see How to use ...
Oracle Linux Bulletin - October 2015 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are relea ...
Oracle VM Server for x86 Bulletin - July 2016 Description The Oracle VM Server for x86 Bulletin lists all CVEs that had been resolved and announced in Oracle VM Server for x86 Security Advisories (OVMSA) in the last one month prior to the release of the bulletin Oracle VM Server for x86 Bulletins are published on the same day ...
Oracle Solaris Third Party Bulletin - January 2016 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Up ...
Oracle Critical Patch Update Advisory - April 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus ...
Oracle Critical Patch Update Advisory - October 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the ...
Oracle Critical Patch Update Advisory - January 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - October 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - July 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - April 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory ...
Oracle Critical Patch Update Advisory - July 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - January 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus, prior Critical Pat ...

Mailing Lists

Orion Elite Hidden IP Browser Pro versions 10 through 79 have insecure versions of Tor and OpenSSL included and also suffer from man-in-the-middle vulnerabilities ...

References

CWE-200http://openssl.org/news/secadv/20151203.txthttps://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637dhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttps://support.apple.com/HT206167http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://marc.info/?l=bugtraq&m=145382583417444&w=2https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05131085http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.securityfocus.com/bid/91787https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944173http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/bid/78626http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.htmlhttp://fortiguard.com/advisory/openssl-advisory-december-2015http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10733http://www.fortiguard.com/advisory/openssl-advisory-december-2015http://lists.opensuse.org/opensuse-updates/2015-12/msg00087.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.htmlhttp://www.debian.org/security/2015/dsa-3413http://lists.opensuse.org/opensuse-updates/2015-12/msg00071.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-opensslhttp://rhn.redhat.com/errata/RHSA-2015-2617.htmlhttp://rhn.redhat.com/errata/RHSA-2015-2616.htmlhttp://www.ubuntu.com/usn/USN-2830-1http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.754583http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.htmlhttp://lists.opensuse.org/opensuse-updates/2015-12/msg00103.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securitytracker.com/id/1034294http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2056.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttps://access.redhat.com/errata/RHSA-2015:2616https://nvd.nist.govhttps://usn.ubuntu.com/2830-1/http://tools.cisco.com/security/center/viewAlert.x?alertId=42530