OpenSSL asn‑tflg_combine Information Leakage Vulnerability (CVE-2015-3195)

OpenSSL asn‑tflg_combine Information Leakage Vulnerability (CVE-2015-3195)
OpenSSL asn‑tflg_combine Information Leakage Vulnerability (CVE-2015-3195)

Release date:
Updated on:

Affected Systems:

OpenSSL Project OpenSSL 〈 0.9.8zh
OpenSSL Project OpenSSL 1.0.2-1.0.2e
OpenSSL Project OpenSSL 1.0.1-1.0.1q
OpenSSL Project OpenSSL 1.0.0-1.0.0t

Description:

CVE (CAN) ID: CVE-2015-3195

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

In versions earlier than OpenSSL 0.9.8zh, 1.0.0-1.0.0t, 1.0.1-1.0.1q, 1.0.2-1.0.2e crypto/asn1/tasn_dec.c, asneffectflg_combine handles errors caused by malformed X509_ATTRIBUTE data. By triggering PKCS #7 or CMS application decoding failure, remote attackers can exploit this vulnerability to obtain sensitive information about the process memory.


<* Source: OpenSSL

Link: http://openssl.org/news/secadv/20151203.txt
*>

Suggestion:

Vendor patch:

OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (20151203) and corresponding patches for this purpose:
20151203: OpenSSL Security Advisory [3 Dec 2015]-Updated [4 Dec 2015]
Link: http://openssl.org/news/secadv/20151203.txt

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: