ID CVE-2012-0027
Summary The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
References
Vulnerable Configurations
  • OpenSSL Project OpenSSL 1.0.0e
    cpe:2.3:a:openssl:openssl:1.0.0e
  • OpenSSL Project OpenSSL 1.0.0d
    cpe:2.3:a:openssl:openssl:1.0.0d
  • OpenSSL Project OpenSSL 1.0.0c
    cpe:2.3:a:openssl:openssl:1.0.0c
  • OpenSSL Project OpenSSL 1.0.0b
    cpe:2.3:a:openssl:openssl:1.0.0b
  • OpenSSL Project OpenSSL 1.0.0a
    cpe:2.3:a:openssl:openssl:1.0.0a
  • OpenSSL Project OpenSSL 1.0.0 Beta5
    cpe:2.3:a:openssl:openssl:1.0.0:beta5
  • OpenSSL Project OpenSSL 1.0.0 Beta4
    cpe:2.3:a:openssl:openssl:1.0.0:beta4
  • OpenSSL Project OpenSSL 1.0.0 Beta3
    cpe:2.3:a:openssl:openssl:1.0.0:beta3
  • OpenSSL Project OpenSSL 1.0.0 Beta2
    cpe:2.3:a:openssl:openssl:1.0.0:beta2
  • OpenSSL Project OpenSSL 1.0.0 Beta1
    cpe:2.3:a:openssl:openssl:1.0.0:beta1
  • OpenSSL Project OpenSSL 1.0.0
    cpe:2.3:a:openssl:openssl:1.0.0
  • OpenSSL Project OpenSSL 0.9.8s
    cpe:2.3:a:openssl:openssl:0.9.8s
  • OpenSSL Project OpenSSL 0.9.8r
    cpe:2.3:a:openssl:openssl:0.9.8r
  • OpenSSL Project OpenSSL 0.9.8g
    cpe:2.3:a:openssl:openssl:0.9.8g
  • OpenSSL Project OpenSSL 0.9.8f
    cpe:2.3:a:openssl:openssl:0.9.8f
  • OpenSSL Project OpenSSL 0.9.8n
    cpe:2.3:a:openssl:openssl:0.9.8n
  • OpenSSL Project OpenSSL 0.9.8q
    cpe:2.3:a:openssl:openssl:0.9.8q
  • OpenSSL Project OpenSSL 0.9.8o
    cpe:2.3:a:openssl:openssl:0.9.8o
  • OpenSSL Project OpenSSL 0.9.8l
    cpe:2.3:a:openssl:openssl:0.9.8l
  • OpenSSL Project OpenSSL 0.9.8p
    cpe:2.3:a:openssl:openssl:0.9.8p
  • OpenSSL Project OpenSSL 0.9.8h
    cpe:2.3:a:openssl:openssl:0.9.8h
  • OpenSSL Project OpenSSL 0.9.8m
    cpe:2.3:a:openssl:openssl:0.9.8m
  • OpenSSL Project OpenSSL 0.9.8k
    cpe:2.3:a:openssl:openssl:0.9.8k
  • OpenSSL Project OpenSSL 0.9.8i
    cpe:2.3:a:openssl:openssl:0.9.8i
  • OpenSSL Project OpenSSL 0.9.8j
    cpe:2.3:a:openssl:openssl:0.9.8j
  • OpenSSL Project OpenSSL 0.9.8
    cpe:2.3:a:openssl:openssl:0.9.8
  • OpenSSL Project OpenSSL 0.9.8a
    cpe:2.3:a:openssl:openssl:0.9.8a
  • OpenSSL Project OpenSSL 0.9.8e
    cpe:2.3:a:openssl:openssl:0.9.8e
  • OpenSSL Project OpenSSL 0.9.8c
    cpe:2.3:a:openssl:openssl:0.9.8c
  • OpenSSL Project OpenSSL 0.9.8b
    cpe:2.3:a:openssl:openssl:0.9.8b
  • OpenSSL Project OpenSSL 0.9.8d
    cpe:2.3:a:openssl:openssl:0.9.8d
  • OpenSSL Project OpenSSL 0.9.7m
    cpe:2.3:a:openssl:openssl:0.9.7m
  • OpenSSL Project OpenSSL 0.9.7l
    cpe:2.3:a:openssl:openssl:0.9.7l
  • OpenSSL Project OpenSSL 0.9.7k
    cpe:2.3:a:openssl:openssl:0.9.7k
  • OpenSSL Project OpenSSL 0.9.7j
    cpe:2.3:a:openssl:openssl:0.9.7j
  • OpenSSL Project OpenSSL 0.9.7i
    cpe:2.3:a:openssl:openssl:0.9.7i
  • OpenSSL Project OpenSSL 0.9.7h
    cpe:2.3:a:openssl:openssl:0.9.7h
  • OpenSSL Project OpenSSL 0.9.7g
    cpe:2.3:a:openssl:openssl:0.9.7g
  • OpenSSL Project OpenSSL 0.9.7f
    cpe:2.3:a:openssl:openssl:0.9.7f
  • OpenSSL Project OpenSSL 0.9.7e
    cpe:2.3:a:openssl:openssl:0.9.7e
  • OpenSSL Project OpenSSL 0.9.7d
    cpe:2.3:a:openssl:openssl:0.9.7d
  • OpenSSL Project OpenSSL 0.9.7c
    cpe:2.3:a:openssl:openssl:0.9.7c
  • OpenSSL Project OpenSSL 0.9.7b
    cpe:2.3:a:openssl:openssl:0.9.7b
  • OpenSSL Project OpenSSL 0.9.7a
    cpe:2.3:a:openssl:openssl:0.9.7a
  • OpenSSL Project OpenSSL 0.9.7
    cpe:2.3:a:openssl:openssl:0.9.7
  • OpenSSL Project OpenSSL 0.9.6m
    cpe:2.3:a:openssl:openssl:0.9.6m
  • OpenSSL Project OpenSSL 0.9.6l
    cpe:2.3:a:openssl:openssl:0.9.6l
  • OpenSSL Project OpenSSL 0.9.6k
    cpe:2.3:a:openssl:openssl:0.9.6k
  • OpenSSL Project OpenSSL 0.9.6j
    cpe:2.3:a:openssl:openssl:0.9.6j
  • OpenSSL Project OpenSSL 0.9.6i
    cpe:2.3:a:openssl:openssl:0.9.6i
  • cpe:2.3:a:openssl:openssl:0.9.6h:bogus
    cpe:2.3:a:openssl:openssl:0.9.6h:bogus
  • OpenSSL Project OpenSSL 0.9.6h
    cpe:2.3:a:openssl:openssl:0.9.6h
  • OpenSSL Project OpenSSL 0.9.6g
    cpe:2.3:a:openssl:openssl:0.9.6g
  • OpenSSL Project OpenSSL 0.9.6f
    cpe:2.3:a:openssl:openssl:0.9.6f
  • OpenSSL Project OpenSSL 0.9.6e
    cpe:2.3:a:openssl:openssl:0.9.6e
  • OpenSSL Project OpenSSL 0.9.6d
    cpe:2.3:a:openssl:openssl:0.9.6d
  • OpenSSL Project OpenSSL 0.9.6c
    cpe:2.3:a:openssl:openssl:0.9.6c
  • OpenSSL Project OpenSSL 0.9.6b
    cpe:2.3:a:openssl:openssl:0.9.6b
  • OpenSSL Project OpenSSL 0.9.6a
    cpe:2.3:a:openssl:openssl:0.9.6a
  • OpenSSL Project OpenSSL 0.9.6
    cpe:2.3:a:openssl:openssl:0.9.6
  • OpenSSL Project OpenSSL 0.9.5a
    cpe:2.3:a:openssl:openssl:0.9.5a
  • OpenSSL Project OpenSSL 0.9.5
    cpe:2.3:a:openssl:openssl:0.9.5
  • OpenSSL Project OpenSSL 0.9.4
    cpe:2.3:a:openssl:openssl:0.9.4
  • OpenSSL Project OpenSSL 0.9.3a
    cpe:2.3:a:openssl:openssl:0.9.3a
  • OpenSSL Project OpenSSL 0.9.3
    cpe:2.3:a:openssl:openssl:0.9.3
  • OpenSSL Project OpenSSL 0.9.2b
    cpe:2.3:a:openssl:openssl:0.9.2b
  • OpenSSL Project OpenSSL 0.9.1c
    cpe:2.3:a:openssl:openssl:0.9.1c
CVSS
Base: 5.0 (as of 06-01-2012 - 09:10)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-153.NASL
    description openssl was updated to 1.0.0k security release to fix bugs and security issues. (bnc#802648 bnc#802746) The version was upgraded to avoid backporting the large fixes for SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) OCSP invalid key DoS issue (CVE-2013-0166) Also the following bugfix was included: bnc#757773 - c_rehash to accept more filename extensions
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74901
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74901
    title openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1)
  • NASL family Web Servers
    NASL id HPSMH_7_1_1_1.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.1.1 and is, therefore, reportedly affected by the following vulnerabilities : - The bundled version of the libxml2 library contains multiple vulnerabilities. (CVE-2011-1944, CVE-2011-2821, CVE-2011-2834) - The bundled version of PHP contains multiple vulnerabilities. (CVE-2011-3379, CVE-2011-4153, CVE-2011-4885, CVE-2012-1823, CVE-2012-0057, CVE-2012-0830) - The bundled version of the Apache HTTP Server contains multiple vulnerabilities. (CVE-2011-3607, CVE-2011-4317, CVE-2011-4415, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053) - An issue exists in the 'include/iniset.php' script in the embedded RoundCube Webmail version that could lead to a denial of service. (CVE-2011-4078) - The bundled version of OpenSSL contains multiple vulnerabilities. (CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, CVE-2012-1165) - The bundled version of curl and libcurl does not properly consider special characters during extraction of a pathname from a URL. (CVE-2012-0036) - An off autocomplete attribute does not exist for unspecified form fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. (CVE-2012-2012) - An unspecified vulnerability exists that could allow a remote attacker to cause a denial of service, or possibly obtain sensitive information or modify data. (CVE-2012-2013) - An unspecified vulnerability exists related to improper input validation. (CVE-2012-2014) - An unspecified vulnerability allows remote, unauthenticated users to gain privileges and obtain sensitive information. (CVE-2012-2015) - An unspecified vulnerability allows local users to obtain sensitive information via unknown vectors. (CVE-2012-2016)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59851
    published 2012-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59851
    title HP System Management Homepage < 7.1.1 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1357-1.NASL
    description It was discovered that the elliptic curve cryptography (ECC) subsystem in OpenSSL, when using the Elliptic Curve Digital Signature Algorithm (ECDSA) for the ECDHE_ECDSA cipher suite, did not properly implement curves over binary fields. This could allow an attacker to determine private keys via a timing attack. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1945) Adam Langley discovered that the ephemeral Elliptic Curve Diffie-Hellman (ECDH) functionality in OpenSSL did not ensure thread safety while processing handshake messages from clients. This could allow a remote attacker to cause a denial of service via out-of-order messages that violate the TLS protocol. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-3210) Nadhem Alfardan and Kenny Paterson discovered that the Datagram Transport Layer Security (DTLS) implementation in OpenSSL performed a MAC check only if certain padding is valid. This could allow a remote attacker to recover plaintext. (CVE-2011-4108) Antonio Martin discovered that a flaw existed in the fix to address CVE-2011-4108, the DTLS MAC check failure. This could allow a remote attacker to cause a denial of service. (CVE-2012-0050) Ben Laurie discovered a double free vulnerability in OpenSSL that could be triggered when the X509_V_FLAG_POLICY_CHECK flag is enabled. This could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-4109) It was discovered that OpenSSL, in certain circumstances involving ECDH or ECDHE cipher suites, used an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves. This could allow a remote attacker to obtain the private key of a TLS server via multiple handshake attempts. This issue only affected Ubuntu 8.04 LTS. (CVE-2011-4354) Adam Langley discovered that the SSL 3.0 implementation in OpenSSL did not properly initialize data structures for block cipher padding. This could allow a remote attacker to obtain sensitive information. (CVE-2011-4576) Andrew Chi discovered that OpenSSL, when RFC 3779 support is enabled, could trigger an assert when handling an X.509 certificate containing certificate-extension data associated with IP address blocks or Autonomous System (AS) identifiers. This could allow a remote attacker to cause a denial of service. (CVE-2011-4577) Adam Langley discovered that the Server Gated Cryptography (SGC) implementation in OpenSSL did not properly handle handshake restarts. This could allow a remote attacker to cause a denial of service. (CVE-2011-4619) Andrey Kulikov discovered that the GOST block cipher engine in OpenSSL did not properly handle invalid parameters. This could allow a remote attacker to cause a denial of service via crafted data from a TLS client. This issue only affected Ubuntu 11.10. (CVE-2012-0027). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 57887
    published 2012-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57887
    title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : openssl vulnerabilities (USN-1357-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2012-007.NASL
    description Multiple vulnerabilities has been found and corrected in openssl : The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack (CVE-2011-4108). Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check (CVE-2011-4109). The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer (CVE-2011-4576). The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors (CVE-2011-4619). The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client (CVE-2012-0027). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 61942
    published 2012-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61942
    title Mandriva Linux Security Advisory : openssl (MDVSA-2012:007)
  • NASL family Web Servers
    NASL id OPENSSL_1_0_0F.NASL
    description According to its banner, the remote web server is running a version of OpenSSL 1.x that is earlier than 1.0.0f. Such versions are affected by the following vulnerabilities : - The Datagram Transport Layer Security (DTLS) implementation is vulnerable to plaintext recovery attacks when decrypting in CBC mode. (CVE-2011-4108) - An error exists related to SSLv3.0 records that can lead to disclosure of uninitialized memory because the library does not clear all bytes used as block cipher padding. (CVE-2011-4576) - An error exists related to RFC 3779 processing that can allow denial of service attacks. Note that this functionality is not enabled by default and must be configured at compile time via the 'enable-rfc3779' option. (CVE-2011-4577) - An error exists related to handshake restarts for server gated cryptography (SGC) that can allow denial of service attacks. (CVE-2011-4619) - An error exists in the GOST implementation that can allow invalid GOST parameters to crash the server. (CVE-2012-0027)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 57460
    published 2012-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57460
    title OpenSSL 1.x < 1.0.0f Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBOPENSSL-DEVEL-120111.NASL
    description Various security vulnerabilities have been fixed in openssl : - DTLS plaintext recovery attack (CVE-2011-4108) - uninitialized SSL 3.0 padding (CVE-2011-4576) - malformed RFC 3779 data can cause assertion failures (CVE-2011-4577) - SGC restart DoS attack (CVE-2011-4619) - invalid GOST parameters DoS attack (CVE-2012-0027)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75908
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75908
    title openSUSE Security Update : libopenssl-devel (openSUSE-SU-2012:0083-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_78CC8A463E5611E189B4001EC9578670.NASL
    description The OpenSSL Team reports : 6 security flaws have been fixed in OpenSSL 1.0.0f : If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 57551
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57551
    title FreeBSD : OpenSSL -- multiple vulnerabilities (78cc8a46-3e56-11e1-89b4-001ec9578670)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_OPENSSL_20120404.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. (CVE-2011-4108) - Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. (CVE-2011-4109) - The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. (CVE-2011-4576) - OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. (CVE-2011-4577) - The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. (CVE-2011-4619) - The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client. (CVE-2012-0027) - OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108. (CVE-2012-0050)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80715
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80715
    title Oracle Solaris Third-Party Patch Update : openssl (cve_2012_0050_denial_of)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBOPENSSL-DEVEL-120111.NASL
    description Various security vulnerabilities have been fixed in openssl : - DTLS plaintext recovery attack (CVE-2011-4108) - uninitialized SSL 3.0 padding (CVE-2011-4576) - malformed RFC 3779 data can cause assertion failures (CVE-2011-4577) - SGC restart DoS attack (CVE-2011-4619) - invalid GOST parameters DoS attack (CVE-2012-0027)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75598
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75598
    title openSUSE Security Update : libopenssl-devel (openSUSE-SU-2012:0083-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-52.NASL
    description openssl was prone to several security issues : - DTLS Plaintext Recovery Attack (CVE-2011-4108) - Uninitialized SSL 3.0 Padding (CVE-2011-4576) - Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) - SGC Restart DoS Attack (CVE-2011-4619) - Invalid GOST parameters DoS Attack (CVE-2012-0027)
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 74722
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74722
    title openSUSE Security Update : openssl (openSUSE-2012-52)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201203-12.NASL
    description The remote host is affected by the vulnerability described in GLSA-201203-12 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been found in OpenSSL: Timing differences for decryption are exposed by CBC mode encryption in OpenSSL’s implementation of DTLS (CVE-2011-4108). A policy check failure can result in a double-free error when X509_V_FLAG_POLICY_CHECK is set (CVE-2011-4109). Clients and servers using SSL 3.0 handshakes do not clear the block cipher padding, allowing a record to contain up to 15 bytes of uninitialized memory, which could include sensitive information (CVE-2011-4576). Assertion errors can occur during the handling of malformed X.509 certificates when OpenSSL is built with RFC 3779 support (CVE-2011-4577). A resource management error can occur when OpenSSL’s server gated cryptography (SGC) does not properly handle handshake restarts (CVE-2011-4619). Invalid parameters in the GOST block cipher are not properly handled by the GOST ENGINE(CVE-2012-0027). An incorrect fix for CVE-2011-4108 creates an unspecified vulnerability for DTLS applications using OpenSSL (CVE-2012-0050). Impact : A remote attacker may be able to cause a Denial of Service or obtain sensitive information, including plaintext passwords. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 58222
    published 2012-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58222
    title GLSA-201203-12 : OpenSSL: Multiple vulnerabilities
refmap via4
confirm
hp
  • HPSBMU02786
  • SSRT100877
mandriva MDVSA-2012:007
osvdb 78191
secunia 57353
suse openSUSE-SU-2012:0083
Last major update 26-03-2014 - 00:27
Published 05-01-2012 - 20:55
Back to Top