CVE-2008-0891 - Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enab

CVE-2008-0891

Summary

Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.

References

Vulnerable Configurations

cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 13-02-2023 - 02:18)
Impact:
Exploitability:

CWE

CWE-189

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

refmap via4

bid	29405
cert-vn	VU#661475
confirm	http://sourceforge.net/project/shownotes.php?release_id=615606 http://www.openssl.org/news/secadv_20080528.txt
fedora	FEDORA-2008-4723
gentoo	GLSA-200806-08
mandriva	MDVSA-2008:107
misc	http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=738400
sectrack	1020121
secunia	30405 30460 30825 30852 30868 31228 31288
slackware	SSA:2008-210-08
ubuntu	USN-620-1
vupen	ADV-2008-1680 ADV-2008-1937
xf	openssl-servername-dos(42666)

statements via4

contributor	Mark J Cox
lastmodified	2008-05-30
organization	Red Hat
statement	Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Last major update

13-02-2023 - 02:18

Published

29-05-2008 - 16:32

Last modified

13-02-2023 - 02:18