Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-47

CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() [jbews-3.0.0]

    XMLWordPrintable

Details

    • Release Notes
    • An invalid pointer use flaw was found in OpenSSL’s ASN1_TYPE_cmp() function. With a specially crafted X.509 certificate that had been verified by the application, a remote attacker could crash a TLS/SSL client or server using OpenSSL.

    Description

      The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a denial of service attack. Any application which performs certificate verification is vulnerable, including OpenSSL clients and servers which enable client authentication.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JWS-223 CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() [jbews-3.0.0]

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              gzaronik@redhat.com George Zaronikas
              rhn-support-twalsh Tim Walsh
              Michal Karm Michal Karm
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: