OpenSSL PKCS7_dataDecode Function Denial of Service Vulnerability (CVE-2015-1790)
OpenSSL PKCS7_dataDecode Function Denial of Service Vulnerability (CVE-2015-1790)
Release date:
Updated on:
Affected Systems:
OpenSSL Project OpenSSL 〈 0.9.8zg
OpenSSL Project OpenSSL < 1.0.2b
OpenSSL Project OpenSSL < 1.0.1n
OpenSSL Project OpenSSL < 1.0.0s
Description:
CVE (CAN) ID: CVE-2015-1790
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
The PKCS7_dataDecode function in crypto/pkcs7/pk7_doit.c has a security vulnerability in OpenSSL versions earlier than 0.9.8zg, 1.0.0s, 1.0.1n, and 1.0.2b, remote attackers can exploit this vulnerability to cause DoS by using the PKCS #7 blob encoded by ASN.1 and without the internal EncryptedContent data (indirect NULL pointer reference and application crash ).
<* Source: Michal zarewski
Link: https://www.openssl.org/news/secadv_20150611.txt
*>
Suggestion:
Vendor patch:
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20150611) and corresponding patches:
Secadv_20150611: OpenSSL Security Advisory [11 Jun 2015]
Link: https://www.openssl.org/news/secadv_20150611.txt
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to generate certificates in Linux
Use OpenSSL to sign multi-domain certificates
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: