CVE-2015-0292

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://marc.info/?l=bugtraq&m=143213830203296&w=2

http://marc.info/?l=bugtraq&m=143748090628601&w=2

http://marc.info/?l=bugtraq&m=144050155601375&w=2

http://marc.info/?l=bugtraq&m=144050297101809&w=2

http://rhn.redhat.com/errata/RHSA-2015-0715.html

http://rhn.redhat.com/errata/RHSA-2015-0716.html

http://rhn.redhat.com/errata/RHSA-2015-0752.html

http://rhn.redhat.com/errata/RHSA-2015-0800.html

http://www.debian.org/security/2015/dsa-3197

http://www.fortiguard.com/advisory/2015-03-24-openssl-vulnerabilities-march-2015

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/73228

http://www.securitytracker.com/id/1031929

http://www.ubuntu.com/usn/USN-2537-1

https://access.redhat.com/articles/1384453

https://bto.bluecoat.com/security-advisory/sa92

https://bugzilla.redhat.com/show_bug.cgi?id=1202395

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d0666f289ac013094bbbf547bfbcd616199b7d2d

https://kc.mcafee.com/corporate/index?page=content&id=SB10110

https://rt.openssl.org/Ticket/Display.html?id=2608&user=guest&pass=guest

https://security.gentoo.org/glsa/201503-11

https://support.citrix.com/article/CTX216642

https://www.openssl.org/news/secadv_20150319.txt

Details

Source: MITRE

Published: 2015-03-19

Updated: 2017-11-15

Type: CWE-119

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (44 total)

IDNameProductFamilySeverity
137993EulerOS Virtualization 3.0.6.0 : openssl098e (EulerOS-SA-2020-1774)NessusHuawei Local Security Checks
high
129174EulerOS 2.0 SP5 : openssl098e (EulerOS-SA-2019-1980)NessusHuawei Local Security Checks
high
128913EulerOS 2.0 SP2 : openssl098e (EulerOS-SA-2019-1861)NessusHuawei Local Security Checks
critical
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
medium
119963SUSE SLES12 Security Update : compat-openssl098 (SUSE-SU-2015:0553-1)NessusSuSE Local Security Checks
high
90526Cisco IOS XE Multiple OpenSSL Vulnerabilities (CSCut46130 / CSCut46126)NessusCISCO
high
90525Cisco IOS Multiple OpenSSL Vulnerabilities (CSCut46130)NessusCISCO
high
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
88991Cisco NX-OS OpenSSL Multiple VulnerabilitiesNessusCISCO
high
88434F5 Networks BIG-IP : OpenSSL vulnerability (SOL16302)NessusF5 Networks Local Security Checks
high
87672Puppet Enterprise Multiple OpenSSL Vulnerabilities (FREAK)NessusCGI abuses
high
84923HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
84400Blue Coat ProxySG 6.2.x < 6.2.16.4 / 6.5.x < 6.5.7.5 / 6.6.x < 6.6.2.1 Multiple OpenSSL VulnerabilitiesNessusFirewalls
high
83992Splunk Enterprise 5.0.x < 5.0.13 / 6.0.x < 6.0.9 / 6.1.x < 6.1.8 OpenSSL Vulnerabilities (FREAK)NessusCGI abuses
high
82900AIX OpenSSL Advisory : openssl_advisory13.ascNessusAIX Local Security Checks
high
82783CentOS 5 : openssl (CESA-2015:0800) (FREAK)NessusCentOS Local Security Checks
medium
82760Scientific Linux Security Update : openssl on SL5.x i386/x86_64 (20150413) (FREAK)NessusScientific Linux Local Security Checks
high
82758RHEL 5 : openssl (RHSA-2015:0800) (FREAK)NessusRed Hat Local Security Checks
medium
82757Oracle Linux 5 : openssl (ELSA-2015-0800) (FREAK)NessusOracle Linux Local Security Checks
medium
82494RHEL 6 : Storage Server (RHSA-2015:0752)NessusRed Hat Local Security Checks
high
82266Scientific Linux Security Update : openssl on SL7.x x86_64 (20150324)NessusScientific Linux Local Security Checks
high
82265Scientific Linux Security Update : openssl on SL6.x i386/x86_64 (20150324)NessusScientific Linux Local Security Checks
high
82162Debian DLA-177-1 : openssl security updateNessusDebian Local Security Checks
high
82066OracleVM 3.3 : openssl (OVMSA-2015-0039)NessusOracleVM Local Security Checks
high
82060Fedora 22 : openssl-1.0.1k-6.fc22 (2015-4320)NessusFedora Local Security Checks
high
82059Fedora 21 : openssl-1.0.1k-6.fc21 (2015-4303)NessusFedora Local Security Checks
high
82058Fedora 20 : openssl-1.0.1e-42.fc20 (2015-4300)NessusFedora Local Security Checks
high
82018RHEL 7 : openssl (RHSA-2015:0716)NessusRed Hat Local Security Checks
medium
82017RHEL 6 : openssl (RHSA-2015:0715)NessusRed Hat Local Security Checks
high
82016Oracle Linux 7 : openssl (ELSA-2015-0716)NessusOracle Linux Local Security Checks
medium
82015Oracle Linux 6 : openssl (ELSA-2015-0715)NessusOracle Linux Local Security Checks
high
82010GLSA-201503-11 : OpenSSL: Multiple vulnerabilities (FREAK)NessusGentoo Local Security Checks
high
81998CentOS 7 : openssl (CESA-2015:0716)NessusCentOS Local Security Checks
high
81997CentOS 6 : openssl (CESA-2015:0715)NessusCentOS Local Security Checks
high
81996SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10481)NessusSuSE Local Security Checks
high
81971Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : openssl vulnerabilities (USN-2537-1)NessusUbuntu Local Security Checks
high
81970SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10470)NessusSuSE Local Security Checks
high
81962FreeBSD : OpenSSL -- multiple vulnerabilities (9d15355b-ce7c-11e4-9db0-d050992ecde8) (FREAK)NessusFreeBSD Local Security Checks
high
81955Debian DSA-3197-1 : openssl - security updateNessusDebian Local Security Checks
high
801938OpenSSL < 0.9.8za / 1.0.0m / 1.0.1h Integer Underflow VulnerabilityLog Correlation EngineWeb Servers
high
78292Amazon Linux AMI : openssl (ALAS-2014-349)NessusAmazon Linux Local Security Checks
high
74364OpenSSL 1.0.1 < 1.0.1h Multiple VulnerabilitiesNessusWeb Servers
high
8253OpenSSL < 0.9.8za / < 1.0.0m / < 1.0.1h Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
73403OpenSSL 1.0.0 < 1.0.0m Multiple VulnerabilitiesNessusWeb Servers
high