ID CVE-2006-2937
Summary OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
References
Vulnerable Configurations
  • cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
CVSS
Base: 7.8 (as of 18-10-2018 - 16:43)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:C
oval via4
accepted 2013-04-29T04:06:41.889-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
family unix
id oval:org.mitre.oval:def:10560
status accepted
submitted 2010-07-09T03:56:16-04:00
title OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2006:0695
  • rhsa
    id RHSA-2008:0629
rpms
  • openssl-0:0.9.7a-33.21
  • openssl-devel-0:0.9.7a-33.21
  • openssl-perl-0:0.9.7a-33.21
  • openssl096b-0:0.9.6b-16.46
  • openssl-0:0.9.7a-43.14
  • openssl-devel-0:0.9.7a-43.14
  • openssl-perl-0:0.9.7a-43.14
  • openssl096b-0:0.9.6b-22.46
refmap via4
apple APPLE-SA-2006-11-28
bid
  • 20248
  • 28276
bugtraq
  • 20060928 rPSA-2006-0175-1 openssl openssl-scripts
  • 20060929 rPSA-2006-0175-2 openssl openssl-scripts
  • 20070110 VMware ESX server security updates
  • 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues
cert TA06-333A
cert-vn VU#247744
cisco
  • 20061108 Multiple Vulnerabilities in OpenSSL Library
  • 20061108 Multiple Vulnerabilities in OpenSSL library
confirm
debian DSA-1185
freebsd FreeBSD-SA-06:23.openssl
fulldisc 20060928 [SECURITY] OpenSSL 0.9.8d and 0.9.7l released
gentoo
  • GLSA-200610-11
  • GLSA-200612-11
hp
  • HPSBMA02250
  • HPSBOV02683
  • HPSBTU02207
  • HPSBUX02174
  • HPSBUX02186
  • SSRT061213
  • SSRT061239
  • SSRT061275
  • SSRT071299
  • SSRT071304
  • SSRT090208
mandriva
  • MDKSA-2006:172
  • MDKSA-2006:177
  • MDKSA-2006:178
mlist
  • [bind-announce] 20061103 Internet Systems Consortium Security Advisory. [revised]
  • [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues
netbsd NetBSD-SA2008-007
openbsd [3.9] 20061007 013: SECURITY FIX: October 7, 2006
openpkg OpenPKG-SA-2006.021
osvdb 29260
sectrack 1016943
secunia
  • 22094
  • 22116
  • 22130
  • 22165
  • 22166
  • 22172
  • 22186
  • 22193
  • 22207
  • 22212
  • 22216
  • 22220
  • 22240
  • 22259
  • 22260
  • 22284
  • 22298
  • 22330
  • 22385
  • 22460
  • 22487
  • 22544
  • 22626
  • 22671
  • 22758
  • 22772
  • 22799
  • 23038
  • 23131
  • 23155
  • 23280
  • 23309
  • 23340
  • 23351
  • 23680
  • 23915
  • 24930
  • 24950
  • 25889
  • 26329
  • 30124
  • 31492
  • 31531
sgi 20061001-01-P
slackware SSA:2006-272-01
sunalert
  • 102668
  • 102747
  • 200585
  • 201534
suse
  • SUSE-SA:2006:058
  • SUSE-SR:2006:024
trustix 2006-0054
ubuntu USN-353-1
vupen
  • ADV-2006-3820
  • ADV-2006-3860
  • ADV-2006-3869
  • ADV-2006-3902
  • ADV-2006-3936
  • ADV-2006-4019
  • ADV-2006-4036
  • ADV-2006-4264
  • ADV-2006-4327
  • ADV-2006-4329
  • ADV-2006-4401
  • ADV-2006-4417
  • ADV-2006-4750
  • ADV-2006-4761
  • ADV-2006-4980
  • ADV-2007-0343
  • ADV-2007-1401
  • ADV-2007-2315
  • ADV-2007-2783
  • ADV-2008-0905
  • ADV-2008-2396
xf openssl-asn1-error-dos(29228)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 18-10-2018 - 16:43
Published 28-09-2006 - 18:07
Back to Top