SecurityTracker: (Sun Grid Engine is Affected) OpenSSL ASN.1 Bugs, SSL_get_shared_ciphers() Buffer Overflow, and SSLv2 Client Error Lets Remote Users Denial of Service or Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Sun Grid Engine

(Sun Grid Engine is Affected) OpenSSL ASN.1 Bugs, SSL_get_shared_ciphers() Buffer Overflow, and SSLv2 Client Error Lets Remote Users Denial of Service or Execute Arbitrary Code

SecurityTracker Alert ID: 1017066

SecurityTracker URL: http://securitytracker.com/id/1017066

CVE Reference: CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343 (Links to External Site)

Date: Oct 16 2006

Impact: Denial of service via network, Execution of arbitrary code via network, User access via network

Vendor Confirmed: Yes

Version(s): 5.3, 6.0

Description: Several vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions. A remote user can execute arbitrary code on the target system. Sun Grid Engine is affected.

A remote user can send specially crafted, invalid ASN.1 structures to trigger an infinite loop [CVE-2006-2937]. As a result, the process will consume excessive system memory. Versions prior to 0.9.7 are not affected.

A remote user can use certain types of public keys to cause the target system to take a disproportionate amount of time to process [CVE-2006-2940].

Dr. S. N. Henson developed the ASN.1 test suite for NISCC that uncovered these denial of service vulnerabilities.

A user can send a specially crafted list of ciphers to an application that uses the SSL_get_shared_ciphers() function to trigger a buffer overflow and potentially execute arbitrary code [CVE-2006-3738]. The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team with reporting this vulnerability.

A remote server can cause a connected SSLv2 client to crash [CVE-2006-4343]. The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team with reporting this vulnerability.

Impact: A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

Solution: Sun has indicated that Sun Grid Engine is affected by this OpenSSL vulnerability.

No solution was available for Sun Grid Engine at the time of this entry.

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1

Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1 (Links to External Site)

Cause: Boundary error, Exception handling error, State error

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (OS X), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (Any)

Message History: This archive entry is a follow-up to the message listed below.

OpenSSL ASN.1 Bugs, SSL_get_shared_ciphers() Buffer Overflow, and SSLv2 Client Error Lets Remote Users Denial of Service or Execute Arbitrary Code

Source Message Contents

Date: Sun, 15 Oct 2006 21:47:52 -0400
Subject: Sun Grid Engine



http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1

CVE-2006-2937
CVE-2006-2940
CVE-2006-3738
CVE-2006-4343

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC