80040 : OpenSSL crypto/asn1/asn_mime.c mime_param_cmp() Function MIME Header Parsing Remote DoS
Printer | http://osvdb.org/80040 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
8	745	about 1 year ago	8 days ago	14 times	100%

Timeline

Disclosure Date
2012-03-12

Description

OpenSSL contains a flaw that may allow a remote denial of service. A Null pointer deference in the rypto/asn1/asn_mime.c mime_param_cmp() function when parsing MIME headers will result in a loss of availability for the program.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Upgrade to version 1.0.0h or 0.9.8u or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The OpenSSL Project	OpenSSL	1.0.0g
		0.9.8t

IBM Corporation	Security Network Intrusion Prevention System	1.7
		1.8
		2.4
		2.5
		3.2
		3.3
		4.1
		4.2
		4.3
		4.4
		4.5

References

Security Tracker: 1026787
CVE ID: 2012-1165 (see also: NVD)
Secunia Advisory ID: 46958 48580 48704 48895 48899 49229 49309 49592 49670 50097 50614 50678 50736 52292 52334 53065
Related OSVDB ID: 80039
Vendor Specific News/Changelog Entry: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03383940
http://lists.debian.org/debian-security-announce/2012/msg00090.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00018.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00020.html
http://lists.opensuse.org/opensuse-updates/2012-04/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00069.html
http://www-01.ibm.com/support/docview.wss?uid=swg21626257
http://www.ibm.com/support/docview.wss?uid=swg21631322
http://www.ubuntu.com/usn/usn-1424-1/
http://www.us.debian.org/security/2012/dsa-2454
Vendor Specific Solution URL: http://cvs.openssl.org/chngview?cn=22252
Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03383940
http://www.openssl.org/news/secadv_20120312.txt
https://downloads.avaya.com/css/P8/documents/100162507
https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03333987&ac.admitted=1337324854606.876444892.492883150
Vendor URL: http://openssl.org/
Packet Storm: http://packetstormsecurity.com/files/121573/HP-Security-Bulletin-HPSBMU02786-SSRT100877-2.html
Mail List Post: http://seclists.org/bugtraq/2012/Jun/170
http://seclists.org/bugtraq/2012/May/98
Other Advisory URL: http://www.openwall.com/lists/oss-security/2012/03/12/3
http://www.openwall.com/lists/oss-security/2012/03/12/6
http://www.openwall.com/lists/oss-security/2012/03/12/7
http://www.openwall.com/lists/oss-security/2012/03/13/2
RedHat RHSA: RHSA-2012:0426 RHSA-2012:1306 RHSA-2012:1307 RHSA-2012:1308

Credit

Not Available

CVSSv2 Score

CVSSv2 Base Score = 5.0
Source: nvd.nist.gov | Generated: 2012-03-16 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Timeline

Description

Classification

Solution

Products

The OpenSSL Project

OpenSSL

IBM Corporation

Security Network Intrusion Prevention System

References

Credit

CVSSv2 Score

Comments