Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: httpd 2.4.23 DR1
Affects Version/s: httpd 2.4.6 DR1
Component/s: openssl
Labels:

Affects:

Release Notes
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Text:
An invalid pointer use flaw was found in OpenSSL’s ASN1_TYPE_cmp() function. With a specially crafted X.509 certificate that had been verified by the application, a remote attacker could crash a TLS/SSL client or server using OpenSSL.
Target Release:

httpd 2.4.23 GA

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a denial of service attack. Any application which performs certificate verification is vulnerable, including OpenSSL clients and servers which enable client authentication.

clones

JWS-223 CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp() [jbews-3.0.0]

Closed

Assignee:: George Zaronikas

Reporter:: Tim Walsh

Tester:: Karm Karm

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2016/04/14 7:32 AM

Updated:: 2018/02/06 7:05 AM

Resolved:: 2016/04/14 8:19 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates