1. CVE-Search
  2. CVE-2002-0082
ID CVE-2002-0082
Summary The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.
References
Vulnerable Configurations
  • cpe:2.3:a:apache-ssl:apache-ssl:1.40:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.40:*:*:*:*:*:*:*
  • cpe:2.3:a:apache-ssl:apache-ssl:1.41:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.41:*:*:*:*:*:*:*
  • cpe:2.3:a:apache-ssl:apache-ssl:1.42:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.42:*:*:*:*:*:*:*
  • cpe:2.3:a:apache-ssl:apache-ssl:1.44:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.44:*:*:*:*:*:*:*
  • cpe:2.3:a:apache-ssl:apache-ssl:1.45:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.45:*:*:*:*:*:*:*
  • cpe:2.3:a:apache-ssl:apache-ssl:1.46:*:*:*:*:*:*:*
    cpe:2.3:a:apache-ssl:apache-ssl:1.46:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mod_ssl:mod_ssl:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:mod_ssl:mod_ssl:2.8.6:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 18-10-2016 - 02:16)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2002:041
  • rhsa
    id RHSA-2002:042
  • rhsa
    id RHSA-2002:045
refmap via4
bid 4189
bugtraq
  • 20020227 mod_ssl Buffer Overflow Condition (Update Available)
  • 20020228 TSLSA-2002-0034 - apache
  • 20020301 Apache-SSL buffer overflow (fix available)
  • 20020304 Apache-SSL 1.3.22+1.47 - update to security fix
caldera CSSA-2002-011.0
compaq SSRT0817
conectiva CLA-2002:465
confirm http://www.apacheweek.com/issues/02-03-01#security
debian DSA-120
engarde ESA-20020301-005
hp
  • HPSBTL0203-031
  • HPSBUX0204-190
mandrake MDKSA-2002:020
misc http://packetstormsecurity.com/files/153567/Apache-mod_ssl-OpenSSL-Remote-Buffer-Overflow.html
xf apache-modssl-bo(8308)
Last major update 18-10-2016 - 02:16
Published 15-03-2002 - 05:00
Last modified 18-10-2016 - 02:16
Back to Top