2015-12-06 21:59:05 2019-06-14 16:44:09

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL
Oracle VM VirtualBox 4.3.4 Oracle VM VirtualBox 4.3.2 Oracle VM VirtualBox 4.3.0 Oracle Transportation management 6.2 (not an official CPE) Oracle Transportation management 6.1 (not an official CPE) Oracle Sun ray software 11.1 (not an official CPE) Oracle Life sciences data hub 2.1 (not an official CPE) Oracle Exalogic infrastructure 2.0 (not an official CPE) Oracle Exalogic infrastructure 1.0 (not an official CPE) Oracle Api gateway 11.1.2.4.0 (not an official CPE) Oracle Api gateway 11.1.2.3.0 (not an official CPE) Openssl Openssl 1.0.2d (not an official CPE) OpenSSL Project OpenSSL 1.0.2c OpenSSL Project OpenSSL 1.0.2b Openssl Openssl 1.0.2a (not an official CPE) OpenSSL Project OpenSSL 1.0.2 Openssl Openssl 1.0.1p (not an official CPE) OpenSSL Project OpenSSL 1.0.1o OpenSSL Project OpenSSL 1.0.1n Openssl Openssl 1.0.1m (not an official CPE) OpenSSL Project OpenSSL 1.0.1l OpenSSL Project OpenSSL 1.0.1j OpenSSL Project OpenSSL 1.0.1k OpenSSL Project OpenSSL 1.0.1i OpenSSL Project OpenSSL 1.0.1h OpenSSL Project OpenSSL 1.0.1g OpenSSL Project OpenSSL 1.0.1e OpenSSL Project OpenSSL 1.0.1f OpenSSL Project OpenSSL 1.0.1d OpenSSL Project OpenSSL 1.0.1c OpenSSL Project OpenSSL 1.0.1b OpenSSL Project OpenSSL 1.0.1a Openssl Openssl 1.0.0s (not an official CPE) Openssl Openssl 1.0.0r (not an official CPE) OpenSSL Project OpenSSL 1.0.0q OpenSSL Project OpenSSL 1.0.0p OpenSSL OpenSSL 1.0.0o OpenSSL Project OpenSSL 1.0.0n OpenSSL Project OpenSSL 1.0.0m OpenSSL Project OpenSSL 1.0.0l OpenSSL Project OpenSSL 1.0.0k OpenSSL Project OpenSSL 1.0.0j OpenSSL Project OpenSSL 1.0.0i OpenSSL Project OpenSSL 1.0.0h OpenSSL Project OpenSSL 1.0.0g OpenSSL Project OpenSSL 1.0.0f OpenSSL Project OpenSSL 1.0.0d OpenSSL Project OpenSSL 1.0.0e OpenSSL Project OpenSSL 1.0.0c OpenSSL Project OpenSSL 1.0.0b OpenSSL Project OpenSSL 1.0.0a OpenSSL Project OpenSSL 1.0.0 Openssl Openssl 0.9.8zg (not an official CPE) Oracle VM VirtualBox 4.3.6 Oracle VM VirtualBox 4.3.8 Oracle VM VirtualBox 4.3.10 Oracle VM VirtualBox 4.3.12 Oracle VM VirtualBox 4.3.14 Oracle Vm virtualbox 4.3.16 (not an official CPE) Oracle VM VirtualBox 4.3.18 Oracle Vm virtualbox 4.3.22 (not an official CPE) Oracle Vm virtualbox 4.3.24 (not an official CPE) Oracle Vm virtualbox 4.3.26 (not an official CPE) Oracle Vm virtualbox 4.3.28 (not an official CPE) Oracle VM VirtualBox 4.3.29 Oracle Vm virtualbox 4.3.30 (not an official CPE) Oracle Vm virtualbox 4.3.32 (not an official CPE) Oracle Vm virtualbox 4.3.34 (not an official CPE) Oracle Vm virtualbox 4.3.35 (not an official CPE) Oracle Vm virtualbox 4.3.36 (not an official CPE)
Advisory Patch Confirmed Link
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
http://kb.juniper.net/InfoCenter/index?page=content&id=J...
http://kb.juniper.net/InfoCenter/index?page=content&id=J...
APPLE-SA-2016-03-21-5
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f...
USN-2830-1
91787
1034294
SSA:2015-349-04
78626
http://www.oracle.com/technetwork/topics/security/cpujan...
http://www.oracle.com/technetwork/topics/security/bullet...
http://www.oracle.com/technetwork/topics/security/ovmbul...
http://www.oracle.com/technetwork/topics/security/linuxb...
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpuo...
http://www.oracle.com/technetwork/security-advisory/cpuo...
http://www.oracle.com/technetwork/security-advisory/cpua...
http://www.oracle.com/technetwork/security-advisory/cpuj...
DSA-3413
http://www.fortiguard.com/advisory/openssl-advisory-dece...
20151204 Multiple Vulnerabilities in OpenSSL (December 2...
openSUSE-SU-2016:0640
SUSE-SU-2016:0678
RHSA-2016:2056
RHSA-2016:2957
RHSA-2015:2617
RHSA-2015:2616
http://openssl.org/news/secadv/20151203.txt
HPSBGN03536
openSUSE-SU-2015:2349
openSUSE-SU-2015:2318
openSUSE-SU-2015:2289
openSUSE-SU-2015:2288
openSUSE-SU-2016:0637
FEDORA-2015-d87d60b9a9
http://kb.juniper.net/InfoCenter/index?page=content&id=J...
http://fortiguard.com/advisory/openssl-advisory-december...
https://kb.pulsesecure.net/articles/Pulse_Security_Advis...
https://support.apple.com/HT206167