(HP Issues Fix for HP-UX) OpenSSL Cryptographic Message Syntax Processing Flaw Lets Remote Users Trigger Memory Errors
|
|
SecurityTracker Alert ID: 1024815 |
|
SecurityTracker URL: http://securitytracker.com/id/1024815
|
|
CVE Reference:
CVE-2010-0742
(Links to External Site)
|
Date: Dec 2 2010
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 0.9.8h
|
Description:
A vulnerability was reported in OpenSSL. A remote user can write to invalid memory addresses on the target system.
A remote user can send specially crafted Cryptographic Message Syntax (CMS) structures containing OriginatorInfo to write to invalid memory addresses or trigger a double-free on the target system.
Only the CMS code is affected, which exists in version 0.9.8h and later (but disabled by default) and in version 1.0.0 (enabled by default).
Ronald Moesbergen reported this vulnerability.
|
Impact:
A remote user can write to invalid memory addresses on the target system.
[Editor's note: The resulting impact was not specified.]
|
Solution:
HP has issued a fix.
The HP advisory is available at:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02629503
|
Vendor URL: www.openssl.org/news/secadv_20100601.txt (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
UNIX (HP/UX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 02 Dec 2010 03:58:22 +0000
Subject: HPSBUX02610 SSRT100341 rev.1 - HP-UX Running OpenSSL, Remote Execution of Arbitrary Code, Denial of Service (DoS)
|
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02629503
CVE-2010-0742
|
|
