New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.9
Synopsis
The remote FreeBSD host is missing one or more security-related updates.
Description
Several problems have been found in OpenSSL :
- During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop.
- A buffer overflow exists in the SSL_get_shared_ciphers function.
- A NULL pointer may be dereferenced in the SSL version 2 client code.
In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. Impact : Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.
An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.
A malicious SSL server can cause clients connecting using SSL version 2 to crash.
Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. Workaround : No workaround is available, but not all of the vulnerabilities mentioned affect all applications.
Solution
Update the affected packages.