OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered during the parsing of X.509 certificates that contain extension data related to Autonomous System (AS) identifiers or IP address blocks, which will result in an assertion failure. This may cause a loss of availability for the program.

Upgrade to version 0.9.8s or higher or 1.0.0f or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1026485
• CVE ID: 2011-4577 (see also: NVD)
• SCIP VulDB ID: 4517
• Secunia Advisory ID: 47426 47601 47607 47673 47748 47925 48238 49592 49670 50476 52019 52292 52543 52694 52869 52892
• Bugtraq ID: 51281
• CERT VU: 737740
• Related OSVDB ID: 78186 78187 78188 78190 78191
• Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03141193
  http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03383940
  http://lists.opensuse.org/opensuse-updates/2012-01/msg00029.html
  http://lists.opensuse.org/opensuse-updates/2013-02/msg00069.html
  http://www.gentoo.org/security/en/glsa/glsa-201203-12.xml
  http://www.ibm.com/support/docview.wss?uid=nas12088ececb530423186257b410072035e
  http://www.ibm.com/support/docview.wss?uid=swg21627934
  http://www.ibm.com/support/docview.wss?uid=swg21633107
  http://www.ubuntu.com/usn/usn-1357-1/
  https://www.ibm.com/support/docview.wss?uid=swg21619837
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03383940
  http://openssl.org/news/secadv_20120104.txt
  http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_sterling_connect_enterprise_for_unix_is_affected_by_multiple_vulnerabilities_in_openssl12
  http://www.vmware.com/security/advisories/VMSA-2012-0013.html
  https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_infosphere_balanced_warehouse_c3000_c4000_and_d5100_and_ibm_smart_analytics_system_1050_2050_5600_and_5710_are_affected_by_vulnerabilities_in_openssl16
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html
  http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html
  http://seclists.org/bugtraq/2012/Jan/151
  http://seclists.org/bugtraq/2012/Jun/170
• Vendor URL: http://openssl.org/
• Packet Storm: http://packetstormsecurity.com/files/121573/HP-Security-Bulletin-HPSBMU02786-SSRT100877-2.html
• RedHat RHSA: RHSA-2012:0059

• Andrew Chi - BBN Technologies