CVE-2015-0289

Severity

50%

Complexity

99%

Confidentiality

48%

CWE-476: NULL Pointer Dereference

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

CWE-476: NULL Pointer Dereference

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Overview

Type

OpenSSL

First reported 9 years ago

2015-03-19 22:59:00

Last updated 7 years ago

2017-10-20 01:29:00

Affected Software

OpenSSL Project OpenSSL

OpenSSL Project OpenSSL 1.0.0

1.0.0

OpenSSL Project OpenSSL 1.0.0a

1.0.0a

OpenSSL Project OpenSSL 1.0.0b

1.0.0b

OpenSSL Project OpenSSL 1.0.0c

1.0.0c

OpenSSL Project OpenSSL 1.0.0d

1.0.0d

OpenSSL Project OpenSSL 1.0.0e

1.0.0e

OpenSSL Project OpenSSL 1.0.0f

1.0.0f

OpenSSL Project OpenSSL 1.0.0g

1.0.0g

OpenSSL Project OpenSSL 1.0.0h

1.0.0h

OpenSSL Project OpenSSL 1.0.0i

1.0.0i

OpenSSL Project OpenSSL 1.0.0j

1.0.0j

OpenSSL Project OpenSSL 1.0.0k

1.0.0k

OpenSSL Project OpenSSL 1.0.0l

1.0.0l

OpenSSL Project OpenSSL 1.0.0m

1.0.0m

OpenSSL Project OpenSSL 1.0.0n

1.0.0n

OpenSSL OpenSSL 1.0.0o

1.0.0o

OpenSSL Project OpenSSL 1.0.0p

1.0.0p

OpenSSL Project OpenSSL 1.0.0q

1.0.0q

OpenSSL Project OpenSSL 1.0.1

1.0.1

OpenSSL Project OpenSSL 1.0.1a

1.0.1a

OpenSSL Project OpenSSL 1.0.1b

1.0.1b

OpenSSL Project OpenSSL 1.0.1c

1.0.1c

OpenSSL Project OpenSSL 1.0.1d

1.0.1d

OpenSSL Project OpenSSL 1.0.1e

1.0.1e

OpenSSL Project OpenSSL 1.0.1f

1.0.1f

OpenSSL Project OpenSSL 1.0.1g

1.0.1g

OpenSSL Project OpenSSL 1.0.1h

1.0.1h

OpenSSL Project OpenSSL 1.0.1i

1.0.1i

OpenSSL Project OpenSSL 1.0.1j

1.0.1j

OpenSSL Project OpenSSL 1.0.1k

1.0.1k

OpenSSL Project OpenSSL 1.0.1l

1.0.1l

OpenSSL Project OpenSSL 1.0.2

1.0.2

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680

APPLE-SA-2015-06-30-2

FEDORA-2015-4303

FEDORA-2015-4320

FEDORA-2015-4300

FEDORA-2015-6951

FEDORA-2015-6855

SUSE-SU-2015:0541

SUSE-SU-2015:0578

openSUSE-SU-2015:1277

openSUSE-SU-2016:0640

openSUSE-SU-2015:0554

HPSBGN03306

SSRT102000

HPSBMU03380

HPSBMU03409

HPSBMU03397

RHSA-2015:0715

RHSA-2015:0716

RHSA-2015:0752

RHSA-2015:0800

http://support.apple.com/kb/HT204942

DSA-3197

http://www.fortiguard.com/advisory/2015-03-24-openssl-vulnerabilities-march-2015

MDVSA-2015:062

MDVSA-2015:063

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

73231

1031929

USN-2537-1

https://access.redhat.com/articles/1384453

https://bto.bluecoat.com/security-advisory/sa92

https://bugzilla.redhat.com/show_bug.cgi?id=1202384

https://git.openssl.org/?p=openssl.git;a=commit;h=c0334c2c92dd1bc3ad8138ba6e74006c3631b0f9

https://kc.mcafee.com/corporate/index?page=content&id=SB10110

GLSA-201503-11

FreeBSD-SA-15:06

https://www.openssl.org/news/secadv_20150319.txt

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.