Vulnerabilities 0.9.8

If you think you have found a security bug in OpenSSL, please report it to us.

Show issues fixed only in OpenSSL 3.3, 3.2, 3.1, 3.0, 1.1.1, 1.1.0, 1.0.2, 1.0.1, 1.0.0, 0.9.8, 0.9.7, 0.9.6, or all versions.

OpenSSL 0.9.8 is out of support since 1st January 2016 and no longer receiving updates.

CVE-2016-0704

Severity
Moderate
Published at
1 March 2016
Found by
David Adrian and J.Alex Halderman (University of Michigan)
Affected
  • from 0.9.8 before 0.9.8zf
  • from 1.0.0 before 1.0.0r
  • from 1.0.1 before 1.0.1m
  • from 1.0.2 before 1.0.2a
References

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack.

CVE-2016-0703

Severity
High
Published at
1 March 2016
Found by
David Adrian and J.Alex Halderman (University of Michigan)
Affected
  • from 0.9.8 before 0.9.8zf
  • from 1.0.0 before 1.0.0r
  • from 1.0.1 before 1.0.1m
  • from 1.0.2 before 1.0.2a
References

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: if an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. More importantly, this leads to a more efficient version of DROWN that is effective against non-export ciphersuites, and requires no significant computation.

CVE-2015-3195

Severity
Moderate
Published at
3 December 2015
Found by
Adam Langley (Google/BoringSSL) using libFuzzer
Affected
  • from 1.0.2 before 1.0.2e
  • from 1.0.1 before 1.0.1q
  • from 1.0.0 before 1.0.0t
  • from 0.9.8 before 0.9.8zh
References

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.

CVE-2015-1792

Severity
Moderate
Published at
11 June 2015
Found by
Johannes Bauer
Affected
  • from 1.0.2 before 1.0.2b
  • from 1.0.1 before 1.0.1n
  • from 1.0.0 before 1.0.0s
  • from 0.9.8 before 0.9.8zg
References

When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.

CVE-2015-1791

Severity
Low
Published at
2 June 2015
Found by
Emilia Käsper (OpenSSL)
Affected
  • from 1.0.2 before 1.0.2b
  • from 1.0.1 before 1.0.1n
  • from 1.0.0 before 1.0.0s
  • from 0.9.8 before 0.9.8zg
References

If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.

CVE-2015-1790

Severity
Moderate
Published at
11 June 2015
Found by
Michal Zalewski (Google)
Affected
  • from 1.0.2 before 1.0.2b
  • from 1.0.1 before 1.0.1n
  • from 1.0.0 before 1.0.0s
  • from 0.9.8 before 0.9.8zg
References

The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.

CVE-2015-1789

Severity
Moderate
Published at
11 June 2015
Found by
Robert Święcki (Google Security Team)
Affected
  • from 1.0.2 before 1.0.2b
  • from 1.0.1 before 1.0.1n
  • from 1.0.0 before 1.0.0s
  • from 0.9.8 before 0.9.8zg
References

X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.

CVE-2015-1788

Severity
Moderate
Published at
11 June 2015
Found by
Joseph Birr-Pixton
Affected
  • from 1.0.2 before 1.0.2b
  • from 1.0.1 before 1.0.1n
  • from 1.0.0 before 1.0.0e
  • from 0.9.8 before 0.9.8s
References

When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.

CVE-2015-0293

Severity
Moderate
Published at
19 March 2015
Found by
Sean Burford (Google) and Emilia Käsper (OpenSSL development team)
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8 before 0.9.8zf
References

DoS via reachable assert in SSLv2 servers. A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.

CVE-2015-0292

Severity
Moderate
Published at
19 March 2015
Found by
Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption.

CVE-2015-0289

Severity
Moderate
Published at
19 March 2015
Found by
Michal Zalewski (Google)
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8 before 0.9.8zf
References

PKCS#7 NULL pointer dereference. The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.

CVE-2015-0288

Severity
Low
Published at
2 March 2015
Found by
Brian Carpenter
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8 before 0.9.8zf
References

X509_to_X509_REQ NULL pointer deref. The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice.

CVE-2015-0287

Severity
Moderate
Published at
19 March 2015
Found by
Emilia Käsper (OpenSSL development team)
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8 before 0.9.8zf
References

ASN.1 structure reuse memory corruption. Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare.

CVE-2015-0286

Severity
Moderate
Published at
19 March 2015
Found by
Stephen Henson (OpenSSL development team)
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8zd before 0.9.8zf
References

Segmentation fault in ASN1_TYPE_cmp. The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.

CVE-2015-0209

Severity
Low
Published at
19 March 2015
Found by
The BoringSSL project
Affected
  • from 1.0.2 before 1.0.2a
  • from 1.0.1 before 1.0.1m
  • from 1.0.0 before 1.0.0r
  • from 0.9.8 before 0.9.8zf
References

Use After Free following d2i_ECPrivatekey error. A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare.

CVE-2015-0204

Severity
Low
Published at
6 January 2015
Found by
Karthikeyan Bhargavan of the PROSECCO team at INRIA
Affected
  • from 1.0.1 before 1.0.1k
  • from 1.0.0 before 1.0.0p
  • from 0.9.8 before 0.9.8zd
References

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session.

CVE-2014-8275

Severity
Low
Published at
5 January 2015
Found by
Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google
Affected
  • from 1.0.1 before 1.0.1k
  • from 1.0.0 before 1.0.0p
  • from 0.9.8 before 0.9.8zd
References

OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate’s fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected.

CVE-2014-8176

Severity
Moderate
Published at
11 June 2015
Found by
Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

This vulnerability does not affect current versions of OpenSSL. It existed in previous OpenSSL versions and was fixed in June 2014. If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption.

CVE-2014-3572

Severity
Low
Published at
5 January 2015
Found by
Karthikeyan Bhargavan of the PROSECCO team at INRIA
Affected
  • from 1.0.1 before 1.0.1k
  • from 1.0.0 before 1.0.0p
  • from 0.9.8 before 0.9.8zd
References

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite.

CVE-2014-3571

Severity
Moderate
Published at
5 January 2015
Found by
Markus Stenberg of Cisco Systems, Inc
Affected
  • from 1.0.1 before 1.0.1k
  • from 1.0.0 before 1.0.0p
  • from 0.9.8 before 0.9.8zd
References

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack.

CVE-2014-3570

Severity
Low
Published at
8 January 2015
Found by
Pieter Wuille (Blockstream)
Affected
  • from 1.0.1 before 1.0.1k
  • from 1.0.0 before 1.0.0p
  • from 0.9.8 before 0.9.8zd
References

Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: *) The probability of BN_sqr producing an incorrect result at random is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128 on affected 64-bit platforms. *) On most platforms, RSA follows a different code path and RSA operations are not affected at all. For the remaining platforms (e.g. OpenSSL built without assembly support), pre-existing countermeasures thwart bug attacks [1]. *) Static ECDH is theoretically affected: it is possible to construct elliptic curve points that would falsely appear to be on the given curve. However, there is no known computationally feasible way to construct such points with low order, and so the security of static ECDH private keys is believed to be unaffected. *) Other routines known to be theoretically affected are modular exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No exploits are known and straightforward bug attacks fail - either the attacker cannot control when the bug triggers, or no private key material is involved.

CVE-2014-3569

Severity
Low
Published at
21 October 2014
Found by
Frank Schmirler
Affected
  • from 1.0.1j before 1.0.1k
  • from 1.0.0o before 1.0.0p
  • from 0.9.8zc before 0.9.8zd
References

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference.

CVE-2014-3568

Severity
Low
Published at
15 October 2014
Found by
Akamai Technologies
Affected
  • from 1.0.1 before 1.0.1j
  • from 1.0.0 before 1.0.0o
  • from 0.9.8 before 0.9.8zc
References

When OpenSSL is configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.

CVE-2014-3567

Severity
Moderate
Published at
15 October 2014
Affected
  • from 1.0.1 before 1.0.1j
  • from 1.0.0 before 1.0.0o
  • from 0.9.8g before 0.9.8zc
References

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.

CVE-2014-3510

Published at
6 August 2014
Found by
Felix Gröbert (Google)
Affected
  • from 1.0.1 before 1.0.1i
  • from 1.0.0 before 1.0.0n
  • from 0.9.8 before 0.9.8zb
References

A flaw in handling DTLS anonymous EC(DH) ciphersuites was found. OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages.

CVE-2014-3508

Published at
6 August 2014
Found by
Ivan Fratric (Google)
Affected
  • from 1.0.1 before 1.0.1i
  • from 1.0.0 before 1.0.0n
  • from 0.9.8 before 0.9.8zb
References

A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex, to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

CVE-2014-3507

Published at
6 August 2014
Found by
Adam Langley (Google)
Affected
  • from 1.0.1 before 1.0.1i
  • from 1.0.0a before 1.0.0n
  • from 0.9.8o before 0.9.8zb
References

A DTLS memory leak from zero-length fragments was found. By sending carefully crafted DTLS packets an attacker could cause OpenSSL to leak memory. This could lead to a Denial of Service attack.

CVE-2014-3506

Published at
6 August 2014
Found by
Adam Langley (Google)
Affected
  • from 1.0.1 before 1.0.1i
  • from 1.0.0 before 1.0.0n
  • from 0.9.8 before 0.9.8zb
References

A DTLS flaw leading to memory exhaustion was found. An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This could lead to a Denial of Service attack.

CVE-2014-3505

Published at
6 August 2014
Found by
Adam Langley and Wan-Teh Chang (Google)
Affected
  • from 1.0.1 before 1.0.1i
  • from 1.0.0 before 1.0.0n
  • from 0.9.8m before 0.9.8zb
References

A Double Free was found when processing DTLS packets. An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This could lead to a Denial of Service attack.

CVE-2014-3470

Published at
30 May 2014
Found by
Felix Gröbert and Ivan Fratrić (Google)
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.

CVE-2014-0224

Published at
5 June 2014
Found by
KIKUCHI Masashi (Lepidum Co. Ltd.)
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

CVE-2014-0221

Published at
5 June 2014
Found by
Imre Rad (Search-Lab Ltd.)
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.

CVE-2014-0195

Published at
5 June 2014
Found by
Jüri Aedla
Affected
  • from 1.0.1 before 1.0.1h
  • from 1.0.0 before 1.0.0m
  • from 0.9.8o before 0.9.8za
References

A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.

CVE-2014-0076

Published at
14 February 2014
Found by
Yuval Yarom and Naomi Benger
Affected
  • from 1.0.1 before 1.0.1g
  • from 1.0.0 before 1.0.0m
  • from 0.9.8 before 0.9.8za
References

Fix for the attack described in the paper “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”.

CVE-2013-0169

Published at
4 February 2013
Found by
Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London
Affected
  • from 1.0.1 before 1.0.1d
  • from 1.0.0 before 1.0.0k
  • from 0.9.8 before 0.9.8y
References

A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing.

CVE-2013-0166

Published at
5 February 2013
Found by
Stephen Henson
Affected
  • from 1.0.1 before 1.0.1d
  • from 1.0.0 before 1.0.0k
  • from 0.9.8 before 0.9.8y
References

A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

CVE-2012-2333

Published at
10 May 2012
Found by
Codenomicon
Affected
  • from 1.0.1 before 1.0.1c
  • from 1.0.0 before 1.0.0j
  • from 0.9.8 before 0.9.8x
References

An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS 1.2, or DTLS client or server could use this flaw to crash its connection peer.

CVE-2012-2131

Published at
24 April 2012
Found by
Red Hat
Affected
  • from 0.9.8v before 0.9.8w
References

It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110.

CVE-2012-2110

Published at
19 April 2012
Found by
Tavis Ormandy
Affected
  • from 1.0.1 before 1.0.1a
  • from 1.0.0 before 1.0.0i
  • from 0.9.8 before 0.9.8v
References

Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL’s I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.

CVE-2012-0884

Published at
12 March 2012
Found by
Ivan Nestlerode
Affected
  • from 1.0.0 before 1.0.0h
  • from 0.9.8 before 0.9.8u
References

A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected, SSL/TLS applications are not affected by this issue.

CVE-2012-0050

Published at
4 January 2012
Found by
Antonio Martin
Affected
  • from 1.0.0f before 1.0.0g
  • from 0.9.8s before 0.9.8t
References

A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications are affected.

CVE-2011-4619

Published at
4 January 2012
Found by
George Kadianakis
Affected
  • from 1.0.0 before 1.0.0f
  • from 0.9.8 before 0.9.8s
References

Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.

CVE-2011-4577

Published at
4 January 2012
Found by
Andrew Chi
Affected
  • from 1.0.0 before 1.0.0f
  • from 0.9.8 before 0.9.8s
References

RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with “enable-rfc3779”, which is not a default.

CVE-2011-4576

Published at
4 January 2012
Found by
Adam Langley
Affected
  • from 1.0.0 before 1.0.0f
  • from 0.9.8 before 0.9.8s
References

OpenSSL failed to clear the bytes used as block cipher padding in SSL 3.0 records which could leak the contents of memory in some circumstances.

CVE-2011-4109

Published at
4 January 2012
Found by
Ben Laurie
Affected
  • from 0.9.8 before 0.9.8s
References

If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. The bug does not occur unless this flag is set. Users of OpenSSL 1.0.0 are not affected.

CVE-2011-4108

Published at
4 January 2012
Found by
Nadhem Alfardan and Kenny Paterson
Affected
  • from 1.0.0 before 1.0.0f
  • from 0.9.8 before 0.9.8s
References

OpenSSL was susceptable an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS by exploiting timing differences arising during decryption processing.

CVE-2011-0014

Published at
8 February 2011
Found by
Neel Mehta
Affected
  • from 1.0.0 before 1.0.0d
  • from 0.9.8h before 0.9.8r
References

A buffer over-read flaw was discovered in the way OpenSSL parsed the Certificate Status Request TLS extensions in ClientHello TLS handshake messages. A remote attacker could possibly use this flaw to crash an SSL server using the affected OpenSSL functionality.

CVE-2010-4180

Published at
2 December 2010
Found by
Martin Rex
Affected
  • from 1.0.0 before 1.0.0c
  • from 0.9.8 before 0.9.8q
References

A flaw in the OpenSSL SSL/TLS server code where an old bug workaround allows malicious clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. This issue only affects OpenSSL based SSL/TLS server if it uses OpenSSL’s internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option).

CVE-2010-3864

Published at
16 November 2010
Found by
Rob Hulswit
Affected
  • from 1.0.0 before 1.0.0b
  • from 0.9.8 before 0.9.8p
References

A flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL’s internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

CVE-2010-0742

Published at
1 June 2010
Found by
Ronald Moesbergen
Affected
  • from 0.9.8h before 0.9.8o
  • from 1.0.0 before 1.0.0a
References

A flaw in the handling of CMS structures containing OriginatorInfo was found which could lead to a write to invalid memory address or double free. CMS support is disabled by default in OpenSSL 0.9.8 versions.

CVE-2010-0740

Published at
24 March 2010
Found by
Bodo Moeller and Adam Langley (Google)
Affected
  • from 0.9.8f before 0.9.8n
References

In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL.

CVE-2010-0433

Published at
19 January 2010
Found by
Todd Rinaldo, Tomas Hoger (Red Hat)
Affected
  • from 0.9.8 before 0.9.8n
References

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake.

CVE-2009-4355

Published at
13 January 2010
Found by
Michael K Johnson and Andy Grimm (rPath)
Affected
  • from 0.9.8 before 0.9.8m
References

A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c allows remote attackers to cause a denial of service via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function.

CVE-2009-3555

Published at
5 November 2009
Affected
  • from 0.9.8 before 0.9.8m
References

Implement RFC5746 to address vulnerabilities in SSL/TLS renegotiation.

CVE-2009-3245

Published at
23 February 2010
Found by
Martin Olsson, Neel Mehta
Affected
  • from 0.9.8 before 0.9.8m
References

It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code.

CVE-2009-1387

Published at
5 February 2009
Found by
Robin Seggelmann
Affected
  • from 0.9.8 before 0.9.8m
References

Fix denial of service flaw due in the DTLS implementation. A remote attacker could use this flaw to cause a DTLS server to crash.

CVE-2009-1386

Published at
2 June 2009
Found by
Alex Lam
Affected
  • from 0.9.8 before 0.9.8i
References

Fix a NULL pointer dereference if a DTLS server recieved ChangeCipherSpec as first record. A remote attacker could use this flaw to cause a DTLS server to crash.

CVE-2009-1379

Published at
12 May 2009
Found by
Daniel Mentz, Robin Seggelmann
Affected
  • from 0.9.8 before 0.9.8m
References

Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function could cause a client accessing a malicious DTLS server to crash.

CVE-2009-1378

Published at
12 May 2009
Found by
Daniel Mentz, Robin Seggelmann
Affected
  • from 0.9.8 before 0.9.8m
References

Fix a denial of service flaw in the DTLS implementation. In dtls1_process_out_of_seq_message() the check if the current message is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack against a DTLS server by sending out of seq handshake messages until there is no memory left.

CVE-2009-1377

Published at
12 May 2009
Found by
Daniel Mentz, Robin Seggelmann
Affected
  • from 0.9.8 before 0.9.8m
References

Fix a denial of service flaw in the DTLS implementation. Records are buffered if they arrive with a future epoch to be processed after finishing the corresponding handshake. There is currently no limitation to this buffer allowing an attacker to perform a DOS attack to a DTLS server by sending records with future epochs until there is no memory left.

CVE-2009-0789

Published at
25 March 2009
Found by
Paolo Ganci
Affected
  • from 0.9.8 before 0.9.8k
References

When a malformed ASN1 structure is received it’s contents are freed up and zeroed and an error condition returned. On a small number of platforms where sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid memory access later resulting in a crash when some invalid structures are read, for example RSA public keys.

CVE-2009-0591

Published at
25 March 2009
Found by
Ivan Nestlerode, IBM
Affected
  • from 0.9.8h before 0.9.8k
References

The function CMS_verify() does not correctly handle an error condition involving malformed signed attributes. This will cause an invalid set of signed attributes to appear valid and content digests will not be checked.

CVE-2009-0590

Published at
25 March 2009
Affected
  • from 0.9.8 before 0.9.8k
References

The function ASN1_STRING_print_ex() when used to print a BMPString or UniversalString will crash with an invalid memory access if the encoded length of the string is illegal. Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software.

CVE-2008-5077

Published at
7 January 2009
Found by
google
Affected
  • from 0.9.8 before 0.9.8j
References

The Google Security Team discovered several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit this flaw would be for a remote attacker who is in control of a malicious server or who can use a ‘man in the middle’ attack to present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation.

CVE-2008-1672

Published at
28 May 2008
Found by
codenomicon
Affected
  • from 0.9.8f before 0.9.8h
References

Testing using the Codenomicon TLS test suite discovered a flaw if the ‘Server Key exchange message’ is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash.

CVE-2008-0891

Published at
28 May 2008
Found by
codenomicon
Affected
  • from 0.9.8f before 0.9.8h
References

Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash.

CVE-2007-5135

Published at
12 October 2007
Found by
Moritz Jodeit
Affected
  • from 0.9.8 before 0.9.8f
References

A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte. Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging.

CVE-2007-4995

Published at
12 October 2007
Found by
Andy Polyakov
Affected
  • from 0.9.8 before 0.9.8f
References

A flaw in DTLS support. An attacker could create a malicious client or server that could trigger a heap overflow. This is possibly exploitable to run arbitrary code, but it has not been verified.

CVE-2006-4343

Published at
28 September 2006
Found by
openssl
Affected
  • from 0.9.7 before 0.9.7l
  • from 0.9.8 before 0.9.8d
References

A flaw in the SSLv2 client code was discovered. When a client application used OpenSSL to create an SSLv2 connection to a malicious server, that server could cause the client to crash.

CVE-2006-4339

Published at
5 September 2006
Found by
openssl
Affected
  • from 0.9.7 before 0.9.7k
  • from 0.9.8 before 0.9.8c
References

Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5 signatures where under certain circumstances it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by OpenSSL.

CVE-2006-3738

Published at
28 September 2006
Found by
openssl
Affected
  • from 0.9.7 before 0.9.7l
  • from 0.9.8 before 0.9.8d
References

A buffer overflow was discovered in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer.

CVE-2006-2940

Published at
28 September 2006
Found by
openssl
Affected
  • from 0.9.7 before 0.9.7l
  • from 0.9.8 before 0.9.8d
References

Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack.

CVE-2006-2937

Published at
28 September 2006
Found by
openssl
Affected
  • from 0.9.7 before 0.9.7l
  • from 0.9.8 before 0.9.8d
References

During the parsing of certain invalid ASN.1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory.

CVE-2005-2969

Published at
11 October 2005
Found by
researcher
Affected
  • from 0.9.7 before 0.9.7h
  • from 0.9.8 before 0.9.8a
References

A deprecated option, SSL_OP_MISE_SSLV2_RSA_PADDING, could allow an attacker acting as a “man in the middle” to force a connection to downgrade to SSL 2.0 even if both parties support better protocols.