Vulnerabilities 1.0.0
If you think you have found a security bug in OpenSSL, please report it to us.
Show issues fixed only in OpenSSL 3.3, 3.2, 3.1, 3.0, 1.1.1, 1.1.0, 1.0.2, 1.0.1, 1.0.0, 0.9.8, 0.9.7, 0.9.6, or all versions.
OpenSSL 1.0.0 is out of support since 1st January 2016 and no longer receiving updates.
CVE-2016-0704
- Severity
- Moderate
- Published at
- 1 March 2016
- Found by
- David Adrian and J.Alex Halderman (University of Michigan)
- Affected
-
- from 0.9.8 before 0.9.8zf
- from 1.0.0 before 1.0.0r
- from 1.0.1 before 1.0.1m
- from 1.0.2 before 1.0.2a
- References
This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack.
CVE-2016-0703
- Severity
- High
- Published at
- 1 March 2016
- Found by
- David Adrian and J.Alex Halderman (University of Michigan)
- Affected
-
- from 0.9.8 before 0.9.8zf
- from 1.0.0 before 1.0.0r
- from 1.0.1 before 1.0.1m
- from 1.0.2 before 1.0.2a
- References
This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: if an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. More importantly, this leads to a more efficient version of DROWN that is effective against non-export ciphersuites, and requires no significant computation.
CVE-2015-3196
- Severity
- Low
- Published at
- 3 December 2015
- Found by
- Stephen Henson (OpenSSL)
- Affected
-
- from 1.0.2 before 1.0.2d
- from 1.0.1 before 1.0.1p
- from 1.0.0 before 1.0.0t
- References
If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data.
CVE-2015-3195
- Severity
- Moderate
- Published at
- 3 December 2015
- Found by
- Adam Langley (Google/BoringSSL) using libFuzzer
- Affected
-
- from 1.0.2 before 1.0.2e
- from 1.0.1 before 1.0.1q
- from 1.0.0 before 1.0.0t
- from 0.9.8 before 0.9.8zh
- References
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.
CVE-2015-1792
- Severity
- Moderate
- Published at
- 11 June 2015
- Found by
- Johannes Bauer
- Affected
-
- from 1.0.2 before 1.0.2b
- from 1.0.1 before 1.0.1n
- from 1.0.0 before 1.0.0s
- from 0.9.8 before 0.9.8zg
- References
When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.
CVE-2015-1791
- Severity
- Low
- Published at
- 2 June 2015
- Found by
- Emilia Käsper (OpenSSL)
- Affected
-
- from 1.0.2 before 1.0.2b
- from 1.0.1 before 1.0.1n
- from 1.0.0 before 1.0.0s
- from 0.9.8 before 0.9.8zg
- References
If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.
CVE-2015-1790
- Severity
- Moderate
- Published at
- 11 June 2015
- Found by
- Michal Zalewski (Google)
- Affected
-
- from 1.0.2 before 1.0.2b
- from 1.0.1 before 1.0.1n
- from 1.0.0 before 1.0.0s
- from 0.9.8 before 0.9.8zg
- References
The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.
CVE-2015-1789
- Severity
- Moderate
- Published at
- 11 June 2015
- Found by
- Robert Święcki (Google Security Team)
- Affected
-
- from 1.0.2 before 1.0.2b
- from 1.0.1 before 1.0.1n
- from 1.0.0 before 1.0.0s
- from 0.9.8 before 0.9.8zg
- References
X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks.
CVE-2015-1788
- Severity
- Moderate
- Published at
- 11 June 2015
- Found by
- Joseph Birr-Pixton
- Affected
-
- from 1.0.2 before 1.0.2b
- from 1.0.1 before 1.0.1n
- from 1.0.0 before 1.0.0e
- from 0.9.8 before 0.9.8s
- References
When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.
CVE-2015-0293
- Severity
- Moderate
- Published at
- 19 March 2015
- Found by
- Sean Burford (Google) and Emilia Käsper (OpenSSL development team)
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8 before 0.9.8zf
- References
DoS via reachable assert in SSLv2 servers. A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message.
CVE-2015-0292
- Severity
- Moderate
- Published at
- 19 March 2015
- Found by
- Robert Dugal, also David Ramos, also Huzaifa Sidhpurwala (Red Hat)
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected (such as the PEM processing routines). Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption.
CVE-2015-0289
- Severity
- Moderate
- Published at
- 19 March 2015
- Found by
- Michal Zalewski (Google)
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8 before 0.9.8zf
- References
PKCS#7 NULL pointer dereference. The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected.
CVE-2015-0288
- Severity
- Low
- Published at
- 2 March 2015
- Found by
- Brian Carpenter
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8 before 0.9.8zf
- References
X509_to_X509_REQ NULL pointer deref. The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice.
CVE-2015-0287
- Severity
- Moderate
- Published at
- 19 March 2015
- Found by
- Emilia Käsper (OpenSSL development team)
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8 before 0.9.8zf
- References
ASN.1 structure reuse memory corruption. Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare.
CVE-2015-0286
- Severity
- Moderate
- Published at
- 19 March 2015
- Found by
- Stephen Henson (OpenSSL development team)
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8zd before 0.9.8zf
- References
Segmentation fault in ASN1_TYPE_cmp. The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
CVE-2015-0209
- Severity
- Low
- Published at
- 19 March 2015
- Found by
- The BoringSSL project
- Affected
-
- from 1.0.2 before 1.0.2a
- from 1.0.1 before 1.0.1m
- from 1.0.0 before 1.0.0r
- from 0.9.8 before 0.9.8zf
- References
Use After Free following d2i_ECPrivatekey error. A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare.
CVE-2015-0206
- Severity
- Moderate
- Published at
- 8 January 2015
- Found by
- Chris Mueller
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- References
A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.
CVE-2015-0205
- Severity
- Low
- Published at
- 8 January 2015
- Found by
- Karthikeyan Bhargavan of the PROSECCO team at INRIA
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- References
An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered.
CVE-2015-0204
- Severity
- Low
- Published at
- 6 January 2015
- Found by
- Karthikeyan Bhargavan of the PROSECCO team at INRIA
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- from 0.9.8 before 0.9.8zd
- References
An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session.
CVE-2014-8275
- Severity
- Low
- Published at
- 5 January 2015
- Found by
- Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program/Konrad Kraszewski from Google
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- from 0.9.8 before 0.9.8zd
- References
OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate’s fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected.
CVE-2014-8176
- Severity
- Moderate
- Published at
- 11 June 2015
- Found by
- Praveen Kariyanahalli, and subsequently by Ivan Fratric and Felix Groebert (Google)
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
This vulnerability does not affect current versions of OpenSSL. It existed in previous OpenSSL versions and was fixed in June 2014. If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption.
CVE-2014-3572
- Severity
- Low
- Published at
- 5 January 2015
- Found by
- Karthikeyan Bhargavan of the PROSECCO team at INRIA
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- from 0.9.8 before 0.9.8zd
- References
An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite.
CVE-2014-3571
- Severity
- Moderate
- Published at
- 5 January 2015
- Found by
- Markus Stenberg of Cisco Systems, Inc
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- from 0.9.8 before 0.9.8zd
- References
A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack.
CVE-2014-3570
- Severity
- Low
- Published at
- 8 January 2015
- Found by
- Pieter Wuille (Blockstream)
- Affected
-
- from 1.0.1 before 1.0.1k
- from 1.0.0 before 1.0.0p
- from 0.9.8 before 0.9.8zd
- References
Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: *) The probability of BN_sqr producing an incorrect result at random is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128 on affected 64-bit platforms. *) On most platforms, RSA follows a different code path and RSA operations are not affected at all. For the remaining platforms (e.g. OpenSSL built without assembly support), pre-existing countermeasures thwart bug attacks [1]. *) Static ECDH is theoretically affected: it is possible to construct elliptic curve points that would falsely appear to be on the given curve. However, there is no known computationally feasible way to construct such points with low order, and so the security of static ECDH private keys is believed to be unaffected. *) Other routines known to be theoretically affected are modular exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No exploits are known and straightforward bug attacks fail - either the attacker cannot control when the bug triggers, or no private key material is involved.
CVE-2014-3569
- Severity
- Low
- Published at
- 21 October 2014
- Found by
- Frank Schmirler
- Affected
-
- from 1.0.1j before 1.0.1k
- from 1.0.0o before 1.0.0p
- from 0.9.8zc before 0.9.8zd
- References
When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference.
CVE-2014-3568
- Severity
- Low
- Published at
- 15 October 2014
- Found by
- Akamai Technologies
- Affected
-
- from 1.0.1 before 1.0.1j
- from 1.0.0 before 1.0.0o
- from 0.9.8 before 0.9.8zc
- References
When OpenSSL is configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.
CVE-2014-3567
- Severity
- Moderate
- Published at
- 15 October 2014
- Affected
-
- from 1.0.1 before 1.0.1j
- from 1.0.0 before 1.0.0o
- from 0.9.8g before 0.9.8zc
- References
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.
CVE-2014-3510
- Published at
- 6 August 2014
- Found by
- Felix Gröbert (Google)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0 before 1.0.0n
- from 0.9.8 before 0.9.8zb
- References
A flaw in handling DTLS anonymous EC(DH) ciphersuites was found. OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages.
CVE-2014-3509
- Published at
- 6 August 2014
- Found by
- Gabor Tyukasz (LogMeIn Inc)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0 before 1.0.0n
- References
A race condition was found in ssl_parse_serverhello_tlsext. If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension, it could write up to 255 bytes to freed memory.
CVE-2014-3508
- Published at
- 6 August 2014
- Found by
- Ivan Fratric (Google)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0 before 1.0.0n
- from 0.9.8 before 0.9.8zb
- References
A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex, to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
CVE-2014-3507
- Published at
- 6 August 2014
- Found by
- Adam Langley (Google)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0a before 1.0.0n
- from 0.9.8o before 0.9.8zb
- References
A DTLS memory leak from zero-length fragments was found. By sending carefully crafted DTLS packets an attacker could cause OpenSSL to leak memory. This could lead to a Denial of Service attack.
CVE-2014-3506
- Published at
- 6 August 2014
- Found by
- Adam Langley (Google)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0 before 1.0.0n
- from 0.9.8 before 0.9.8zb
- References
A DTLS flaw leading to memory exhaustion was found. An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This could lead to a Denial of Service attack.
CVE-2014-3505
- Published at
- 6 August 2014
- Found by
- Adam Langley and Wan-Teh Chang (Google)
- Affected
-
- from 1.0.1 before 1.0.1i
- from 1.0.0 before 1.0.0n
- from 0.9.8m before 0.9.8zb
- References
A Double Free was found when processing DTLS packets. An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This could lead to a Denial of Service attack.
CVE-2014-3470
- Published at
- 30 May 2014
- Found by
- Felix Gröbert and Ivan Fratrić (Google)
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
CVE-2014-0224
- Published at
- 5 June 2014
- Found by
- KIKUCHI Masashi (Lepidum Co. Ltd.)
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
CVE-2014-0221
- Published at
- 5 June 2014
- Found by
- Imre Rad (Search-Lab Ltd.)
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
CVE-2014-0198
- Published at
- 21 April 2014
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- References
A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
CVE-2014-0195
- Published at
- 5 June 2014
- Found by
- Jüri Aedla
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- from 0.9.8o before 0.9.8za
- References
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
CVE-2014-0076
- Published at
- 14 February 2014
- Found by
- Yuval Yarom and Naomi Benger
- Affected
-
- from 1.0.1 before 1.0.1g
- from 1.0.0 before 1.0.0m
- from 0.9.8 before 0.9.8za
- References
Fix for the attack described in the paper “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”.
CVE-2013-6450
- Published at
- 13 December 2013
- Found by
- Dmitry Sobinov
- Affected
-
- from 1.0.1 before 1.0.1f
- from 1.0.0 before 1.0.0l
- References
A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0.
CVE-2013-0169
- Published at
- 4 February 2013
- Found by
- Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London
- Affected
-
- from 1.0.1 before 1.0.1d
- from 1.0.0 before 1.0.0k
- from 0.9.8 before 0.9.8y
- References
A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing.
CVE-2013-0166
- Published at
- 5 February 2013
- Found by
- Stephen Henson
- Affected
-
- from 1.0.1 before 1.0.1d
- from 1.0.0 before 1.0.0k
- from 0.9.8 before 0.9.8y
- References
A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.
CVE-2012-2333
- Published at
- 10 May 2012
- Found by
- Codenomicon
- Affected
-
- from 1.0.1 before 1.0.1c
- from 1.0.0 before 1.0.0j
- from 0.9.8 before 0.9.8x
- References
An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious TLS 1.1, TLS 1.2, or DTLS client or server could use this flaw to crash its connection peer.
CVE-2012-2110
- Published at
- 19 April 2012
- Found by
- Tavis Ormandy
- Affected
-
- from 1.0.1 before 1.0.1a
- from 1.0.0 before 1.0.0i
- from 0.9.8 before 0.9.8v
- References
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL’s I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
CVE-2012-0884
- Published at
- 12 March 2012
- Found by
- Ivan Nestlerode
- Affected
-
- from 1.0.0 before 1.0.0h
- from 0.9.8 before 0.9.8u
- References
A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher’s attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected, SSL/TLS applications are not affected by this issue.
CVE-2012-0050
- Published at
- 4 January 2012
- Found by
- Antonio Martin
- Affected
-
- from 1.0.0f before 1.0.0g
- from 0.9.8s before 0.9.8t
- References
A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications are affected.
CVE-2012-0027
- Published at
- 4 January 2012
- Found by
- Andrey Kulikov
- Affected
-
- from 1.0.0 before 1.0.0f
- References
A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack. Only users of the OpenSSL GOST ENGINE are affected by this bug.
CVE-2011-4619
- Published at
- 4 January 2012
- Found by
- George Kadianakis
- Affected
-
- from 1.0.0 before 1.0.0f
- from 0.9.8 before 0.9.8s
- References
Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.
CVE-2011-4577
- Published at
- 4 January 2012
- Found by
- Andrew Chi
- Affected
-
- from 1.0.0 before 1.0.0f
- from 0.9.8 before 0.9.8s
- References
RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Builds of OpenSSL are only vulnerable if configured with “enable-rfc3779”, which is not a default.
CVE-2011-4576
- Published at
- 4 January 2012
- Found by
- Adam Langley
- Affected
-
- from 1.0.0 before 1.0.0f
- from 0.9.8 before 0.9.8s
- References
OpenSSL failed to clear the bytes used as block cipher padding in SSL 3.0 records which could leak the contents of memory in some circumstances.
CVE-2011-4108
- Published at
- 4 January 2012
- Found by
- Nadhem Alfardan and Kenny Paterson
- Affected
-
- from 1.0.0 before 1.0.0f
- from 0.9.8 before 0.9.8s
- References
OpenSSL was susceptable an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS by exploiting timing differences arising during decryption processing.
CVE-2011-3210
- Published at
- 6 September 2011
- Found by
- Adam Langley
- Affected
-
- from 1.0.0 before 1.0.0e
- References
OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected, and only if ephemeral ECDH ciphersuites are enabled in the configuration.
CVE-2011-3207
- Published at
- 6 September 2011
- Found by
- Kaspar Brand
- Affected
-
- from 1.0.0 before 1.0.0e
- References
Under certain circumstances OpenSSL’s internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. Applications are only affected by the CRL checking vulnerability if they enable OpenSSL’s internal CRL checking which is off by default. Applications which use their own custom CRL checking (such as Apache) are not affected.
CVE-2011-0014
- Published at
- 8 February 2011
- Found by
- Neel Mehta
- Affected
-
- from 1.0.0 before 1.0.0d
- from 0.9.8h before 0.9.8r
- References
A buffer over-read flaw was discovered in the way OpenSSL parsed the Certificate Status Request TLS extensions in ClientHello TLS handshake messages. A remote attacker could possibly use this flaw to crash an SSL server using the affected OpenSSL functionality.
CVE-2010-5298
- Published at
- 8 April 2014
- Affected
-
- from 1.0.1 before 1.0.1h
- from 1.0.0 before 1.0.0m
- References
A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
CVE-2010-4252
- Published at
- 2 December 2010
- Found by
- Sebastian Martini
- Affected
-
- from 1.0.0 before 1.0.0c
- References
An error in OpenSSL’s experimental J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. The OpenSSL Team still consider the implementation of J-PAKE to be experimental and is not compiled by default.
CVE-2010-4180
- Published at
- 2 December 2010
- Found by
- Martin Rex
- Affected
-
- from 1.0.0 before 1.0.0c
- from 0.9.8 before 0.9.8q
- References
A flaw in the OpenSSL SSL/TLS server code where an old bug workaround allows malicious clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections. This issue only affects OpenSSL based SSL/TLS server if it uses OpenSSL’s internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option).
CVE-2010-3864
- Published at
- 16 November 2010
- Found by
- Rob Hulswit
- Affected
-
- from 1.0.0 before 1.0.0b
- from 0.9.8 before 0.9.8p
- References
A flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL’s internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.
CVE-2010-1633
- Published at
- 1 June 2010
- Found by
- Peter-Michael Hager
- Affected
-
- from 1.0.0 before 1.0.0a
- References
An invalid Return value check in pkey_rsa_verifyrecover was discovered. When verification recovery fails for RSA keys an uninitialised buffer with an undefined length is returned instead of an error code. This could lead to an information leak.
CVE-2010-0742
- Published at
- 1 June 2010
- Found by
- Ronald Moesbergen
- Affected
-
- from 0.9.8h before 0.9.8o
- from 1.0.0 before 1.0.0a
- References
A flaw in the handling of CMS structures containing OriginatorInfo was found which could lead to a write to invalid memory address or double free. CMS support is disabled by default in OpenSSL 0.9.8 versions.