This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.
The remote AIX host is running a vulnerable version of OpenSSL.
The version of OpenSSL running on the remote host is affected by the
following vulnerabilities :
- A carefully crafted invalid TLS handshake could crash
OpenSSL with a NULL pointer exception. A malicious
server could use this flaw to crash a connecting client.
This issue only affected OpenSSL 1.0.1 versions.
- A flaw in DTLS handling can cause an application using
OpenSSL and DTLS to crash. This is not a vulnerability
for OpenSSL prior to 1.0.0. OpenSSL is vulnerable to a
denial of service, caused by the failure to properly
maintain data structures for digest and encryption
contexts by the DTLS retransmission implementation. A
remote attacker could exploit this vulnerability to
cause the daemon to crash. (CVE-2013-6450)
- A flaw in OpenSSL can cause an application using
OpenSSL to crash when using TLS version 1.2. This issue
only affected OpenSSL 1.0.1 versions. OpenSSL is
vulnerable to a denial of service, caused by an error in
the ssl_get_algorithm2 function. A remote attacker could
exploit this vulnerability using specially crafted
traffic from a TLS 1.2 client to cause the daemon to
See also :
A fix is available, and it can be downloaded from the AIX website.
To extract the fixes from the tar file :
zcat openssl-126.96.36.1991.tar.Z | tar xvf -
IMPORTANT : If possible, it is recommended that a mksysb backup of
the system be created. Verify it is both bootable and readable
To preview the fix installation :
installp -apYd . openssl
To install the fix package :
installp -aXYd . openssl
Risk factor :
Medium / CVSS Base Score : 5.8
CVSS Temporal Score : 4.3
Public Exploit Available : false