CVE-2015-0293

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680

http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html

http://lists.opensuse.org/opensuse-updates/2015-03/msg00062.html

http://marc.info/?l=bugtraq&m=143213830203296&w=2

http://marc.info/?l=bugtraq&m=143748090628601&w=2

http://marc.info/?l=bugtraq&m=144050155601375&w=2

http://marc.info/?l=bugtraq&m=144050297101809&w=2

http://rhn.redhat.com/errata/RHSA-2015-0715.html

http://rhn.redhat.com/errata/RHSA-2015-0716.html

http://rhn.redhat.com/errata/RHSA-2015-0752.html

http://rhn.redhat.com/errata/RHSA-2015-0800.html

http://support.apple.com/kb/HT204942

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://www.mandriva.com/security/advisories?name=MDVSA-2015:063

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

http://www.securityfocus.com/bid/73232

http://www.securitytracker.com/id/1031929

http://www.ubuntu.com/usn/USN-2537-1

https://access.redhat.com/articles/1384453

https://bto.bluecoat.com/security-advisory/sa92

https://bugzilla.redhat.com/show_bug.cgi?id=1202404

https://git.openssl.org/?p=openssl.git;a=commit;h=86f8fb0e344d62454f8daf3e15236b2b59210756

https://kc.mcafee.com/corporate/index?page=content&id=SB10110

https://security.gentoo.org/glsa/201503-11

https://support.citrix.com/article/CTX216642

https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.asc

https://www.openssl.org/news/secadv_20150319.txt

Details

Source: MITRE

Published: 2015-03-19

Updated: 2018-01-18

Type: CWE-20

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8ze (inclusive)

cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0o:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0p:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0q:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*

Tenable Plugins

View all (73 total)

IDNameProductFamilySeverity
125001EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)NessusHuawei Local Security Checks
high
119963SUSE SLES12 Security Update : compat-openssl098 (SUSE-SU-2015:0553-1)NessusSuSE Local Security Checks
high
90526Cisco IOS XE Multiple OpenSSL Vulnerabilities (CSCut46130 / CSCut46126)NessusCISCO
high
90525Cisco IOS Multiple OpenSSL Vulnerabilities (CSCut46130)NessusCISCO
high
90364Amazon Linux AMI : openssl098e (ALAS-2016-682) (DROWN)NessusAmazon Linux Local Security Checks
medium
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
89910openSUSE Security Update : openssl (openSUSE-2016-327) (DROWN)NessusSuSE Local Security Checks
critical
89825Scientific Linux Security Update : openssl098e on SL6.x, SL7.x i386/x86_64 (20160309) (DROWN)NessusScientific Linux Local Security Checks
medium
89773RHEL 6 / 7 : openssl098e (RHSA-2016:0372) (DROWN)NessusRed Hat Local Security Checks
medium
89770Oracle Linux 6 / 7 : openssl098e (ELSA-2016-0372) (DROWN)NessusOracle Linux Local Security Checks
medium
89762CentOS 6 / 7 : openssl098e (CESA-2016:0372) (DROWN)NessusCentOS Local Security Checks
medium
89731SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2016:0678-1) (DROWN)NessusSuSE Local Security Checks
critical
89722SUSE SLED11 Security Update : compat-openssl097g (SUSE-SU-2016:0631-1) (DROWN)NessusSuSE Local Security Checks
critical
89658SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0641-1) (DROWN)NessusSuSE Local Security Checks
critical
89655SUSE SLED11 / SLES11 Security Update : openssl (SUSE-SU-2016:0624-1) (DROWN)NessusSuSE Local Security Checks
critical
89651openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE)NessusSuSE Local Security Checks
critical
89092openSUSE Security Update : openssl (openSUSE-2016-292) (DROWN)NessusSuSE Local Security Checks
critical
89091openSUSE Security Update : openssl (openSUSE-2016-289) (DROWN)NessusSuSE Local Security Checks
critical
89077SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0620-1) (DROWN)NessusSuSE Local Security Checks
critical
89076SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0617-1) (DROWN)NessusSuSE Local Security Checks
critical
89070RHEL 5 : openssl (RHSA-2016:0304) (DROWN)NessusRed Hat Local Security Checks
medium
89069RHEL 6 : openssl (RHSA-2016:0303) (DROWN)NessusRed Hat Local Security Checks
medium
87672Puppet Enterprise Multiple OpenSSL Vulnerabilities (FREAK)NessusCGI abuses
high
8801Mac OS X < 10.10.4 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
86271F5 Networks BIG-IP : OpenSSL vulnerability (K16321)NessusF5 Networks Local Security Checks
medium
84923HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
84489Mac OS X Multiple Vulnerabilities (Security Update 2015-005) (GHOST) (Logjam)NessusMacOS X Local Security Checks
critical
84488Mac OS X 10.10.x < 10.10.4 Multiple Vulnerabilities (GHOST) (Logjam)NessusMacOS X Local Security Checks
critical
84400Blue Coat ProxySG 6.2.x < 6.2.16.4 / 6.5.x < 6.5.7.5 / 6.6.x < 6.6.2.1 Multiple OpenSSL VulnerabilitiesNessusFirewalls
high
83992Splunk Enterprise 5.0.x < 5.0.13 / 6.0.x < 6.0.9 / 6.1.x < 6.1.8 OpenSSL Vulnerabilities (FREAK)NessusCGI abuses
high
83703SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2015:0541-1)NessusSuSE Local Security Checks
medium
83527Apache Tomcat 8.0.x < 8.0.21 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83526Apache Tomcat 7.0.x < 7.0.60 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83490Apache Tomcat 6.0.x < 6.0.44 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83238Fedora 21 : mingw-openssl-1.0.2a-1.fc21 (2015-6855)NessusFedora Local Security Checks
medium
83216Fedora 22 : mingw-openssl-1.0.2a-1.fc22 (2015-6951)NessusFedora Local Security Checks
medium
82922Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssl (SSA:2015-111-09)NessusSlackware Local Security Checks
medium
82900AIX OpenSSL Advisory : openssl_advisory13.ascNessusAIX Local Security Checks
high
82783CentOS 5 : openssl (CESA-2015:0800) (FREAK)NessusCentOS Local Security Checks
medium
82760Scientific Linux Security Update : openssl on SL5.x i386/x86_64 (20150413) (FREAK)NessusScientific Linux Local Security Checks
high
82758RHEL 5 : openssl (RHSA-2015:0800) (FREAK)NessusRed Hat Local Security Checks
medium
82757Oracle Linux 5 : openssl (ELSA-2015-0800) (FREAK)NessusOracle Linux Local Security Checks
medium
82494RHEL 6 : Storage Server (RHSA-2015:0752)NessusRed Hat Local Security Checks
high
82316Mandriva Linux Security Advisory : openssl (MDVSA-2015:063)NessusMandriva Local Security Checks
medium
82315Mandriva Linux Security Advisory : openssl (MDVSA-2015:062)NessusMandriva Local Security Checks
high
8662OpenSSL 0.9.8 < 0.9.8zf / 1.0.0 < 1.0.0r / 1.0.1 < 1.0.1m Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
8661OpenSSL 1.0.2 < 1.0.2a Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
82266Scientific Linux Security Update : openssl on SL7.x x86_64 (20150324)NessusScientific Linux Local Security Checks
high
82265Scientific Linux Security Update : openssl on SL6.x i386/x86_64 (20150324)NessusScientific Linux Local Security Checks
high
82162Debian DLA-177-1 : openssl security updateNessusDebian Local Security Checks
high
82077stunnel < 5.12 OpenSSL Multiple VulnerabilitiesNessusWindows
medium
82066OracleVM 3.3 : openssl (OVMSA-2015-0039)NessusOracleVM Local Security Checks
high
82060Fedora 22 : openssl-1.0.1k-6.fc22 (2015-4320)NessusFedora Local Security Checks
high
82059Fedora 21 : openssl-1.0.1k-6.fc21 (2015-4303)NessusFedora Local Security Checks
high
82058Fedora 20 : openssl-1.0.1e-42.fc20 (2015-4300)NessusFedora Local Security Checks
high
82047Amazon Linux AMI : openssl (ALAS-2015-498)NessusAmazon Linux Local Security Checks
medium
82033OpenSSL 1.0.2 < 1.0.2a Multiple VulnerabilitiesNessusWeb Servers
medium
82032OpenSSL 1.0.1 < 1.0.1m Multiple VulnerabilitiesNessusWeb Servers
medium
82031OpenSSL 1.0.0 < 1.0.0r Multiple VulnerabilitiesNessusWeb Servers
medium
82030OpenSSL 0.9.8 < 0.9.8zf Multiple VulnerabilitiesNessusWeb Servers
medium
82018RHEL 7 : openssl (RHSA-2015:0716)NessusRed Hat Local Security Checks
medium
82017RHEL 6 : openssl (RHSA-2015:0715)NessusRed Hat Local Security Checks
high
82016Oracle Linux 7 : openssl (ELSA-2015-0716)NessusOracle Linux Local Security Checks
medium
82015Oracle Linux 6 : openssl (ELSA-2015-0715)NessusOracle Linux Local Security Checks
high
82010GLSA-201503-11 : OpenSSL: Multiple vulnerabilities (FREAK)NessusGentoo Local Security Checks
high
81998CentOS 7 : openssl (CESA-2015:0716)NessusCentOS Local Security Checks
high
81997CentOS 6 : openssl (CESA-2015:0715)NessusCentOS Local Security Checks
high
81996SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10481)NessusSuSE Local Security Checks
high
81995openSUSE Security Update : openssl (openSUSE-2015-247)NessusSuSE Local Security Checks
medium
81971Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : openssl vulnerabilities (USN-2537-1)NessusUbuntu Local Security Checks
high
81970SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10470)NessusSuSE Local Security Checks
high
81962FreeBSD : OpenSSL -- multiple vulnerabilities (9d15355b-ce7c-11e4-9db0-d050992ecde8) (FREAK)NessusFreeBSD Local Security Checks
high
801937OpenSSL < 0.9.8zf / 1.0.0r / 1.0.1m / 1.0.2a Multiple VulnerabilitiesLog Correlation EngineWeb Servers
medium