ID

VAR-200312-0218

CVE

CVE-2003-0851

TITLE

OpenSSL 0.9.6k does not properly handle ASN.1 sequences

DESCRIPTION

OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. OpenSSL Is ASN.1 (Abstract Syntax Notation One) A vulnerability that causes deep recursion exists due to poor handling of sequences.By sending a client certificate crafted by a third party to the target host, OpenSSL Server using the library interferes with service operation (DoS) It may be in a state. A problem has been identified in OpenSSL when handling specific types of ASN.1 requests. This issue is also known to affect numerous Cisco products. It is possible that other vendors will also be acknowledging this issue and providing fixes. Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities. Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms. Other non-supported versions may be affected, but Symantec has not confirmed this. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization. This BID will be divided and updated into separate BIDs when more information is available. An attacker could exploit these vulnerabilities to take complete control of an affected database. TITLE: Red Hat update for openssl SECUNIA ADVISORY ID: SA17398 VERIFY ADVISORY: http://secunia.com/advisories/17398/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: RedHat Linux Advanced Workstation 2.1 for Itanium http://secunia.com/product/1326/ RedHat Enterprise Linux WS 2.1 http://secunia.com/product/1044/ RedHat Enterprise Linux ES 2.1 http://secunia.com/product/1306/ RedHat Enterprise Linux AS 2.1 http://secunia.com/product/48/ DESCRIPTION: Red Hat has issued an update for openssl. http://rhn.redhat.com/ ORIGINAL ADVISORY: http://rhn.redhat.com/errata/RHSA-2005-829.html OTHER REFERENCES: SA11139: http://secunia.com/advisories/11139/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. OpenSSL Security Advisory [4 November 2003] Denial of Service in ASN.1 parsing ================================== Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to address various ASN.1 issues. The issues were found using a test suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team. Subsequent to that release, Novell Inc. carried out further testing using the NISCC suite. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them. Patches for this issue have been created by Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team. Who is affected? ---------------- OpenSSL 0.9.6k is affected by the bug, but the denial of service does not affect all platforms. This issue does not affect OpenSSL 0.9.7. Currently only OpenSSL running on Windows platforms is known to crash. Recommendations --------------- Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.6l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): o https://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.6l.tar.gz [normal] MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27 o openssl-engine-0.9.6l.tar.gz [engine] MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c The checksums were calculated using the following command: openssl md5 < openssl-0.9.6l.tar.gz openssl md5 < openssl-engine-0.9.6l.tar.gz References ---------- The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0851 to this issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851 URL for this Security Advisory: https://www.openssl.org/news/secadv_20031104.txt

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

David Litchfield※ david@nextgenss.com

SOURCES

LAST UPDATE DATE

2024-09-17T22:04:46.731000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE