Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
OpenSSL 1.0.2 and 1.0.1 Multiple Vulnerabilities Sep 16 (Linux)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
This host is running OpenSSL and is prone to multiple vulnerabilities.
Insight
Insight
OpenSSL suffers from the possibility of multiple vulnerabilities due to: 1) Missing message length checks which results in Out of Bounds reads up to 2 bytes beyond the allocated buffer, this leads to Denial of Service. The attack works only if client authentication is enabled. 2) Calling MDC2_Update() can cause an overflow if an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. 3) A malfored SHA512 TLS session ticket resulting in an Out of Bounds read which leads to service crash. 4) Unchecking the return value of BN_div_word() function causing an Out of Bounds write if it is used with an overly large BIGNUM. TLS is not affected. 5) Misusing OBJ_obj2txt() function by the function TS_OBJ_print_bio() will results in Out of Bounds reads when large OIDs are presented. 6) DTLS out-of-order messages handling which enable an attacker to cause a DoS attack through memory exhaustion. 7) A flaw in the DTLS replay attack protection mechanism enabling the attacker to send records for next epochs with a very large sequence number, this causes in dropping all the subsequent legitimate packets and causing a denial of service for a specific DTLS connection.
Affected Software
Affected Software
OpenSSL 1.0.2 and 1.0.1.
Solution
Solution
OpenSSL 1.0.2 users should upgrade to 1.0.2i, OpenSSL 1.0.1 users should upgrade to 1.0.1u