SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
SecurityTracker Alert ID:  1032817
SecurityTracker URL:  http://securitytracker.com/id/1032817
CVE Reference:   CVE-2015-1793   (Links to External Site)
Date:  Jul 9 2015
Impact:   Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1o, 1.0.1n, 1.0.2b, 1.0.2c
Description:   A vulnerability was reported in OpenSSL. A remote user can bypass certificate validation on the target system.

When the validation of a certificate chain fails, the system attempts to validate an alternate certificate chain but does not check the CA flag of untrusted certificates. As a result, a remote user can cause the target system to validate an invalid certificate using a valid leaf certificate.

Applications that verify certificates are affected.

SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication are affected.

The vendor was notified on June 24, 2015.

Adam Langley/David Benjamin (Google/BoringSSL) reported this vulnerability.

Impact:   A remote user can bypass certificate validation on the target system.
Solution:   The vendor has issued a fix (1.0.1p, 1.0.2d).

The vendor's advisory is available at:

http://openssl.org/news/secadv_20150709.txt

Vendor URL:  openssl.org/news/secadv_20150709.txt (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 9 2015 (FreeBSD Issues Fix) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
FreeBSD has issued a fix for FreeBSD 10-STABLE.
Jul 13 2015 (Cisco Issues Advisory for Cisco Emergency Responder) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco Emergency Responder.
Jul 13 2015 (Cisco Issues Advisory for Cisco MediaSense) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco MediaSense.
Jul 13 2015 (Cisco Issues Advisory for Cisco Unified Communications Manager) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco Unified Communications Manager (UCM) and UCM Session Management Edition (SME).
Jul 15 2015 (Cisco Issues Advisory for Cisco NX-OS) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco Nexus 5000, 6000, and 7000.
Jul 15 2015 (Cisco Issues Advisory for Cisco Unity Connection) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco Unity Connection.
Jul 15 2015 (Cisco Issues Advisory for Cisco TelePresence Conductor) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco TelePresence Conductor.
Jul 15 2015 (Cisco Issues Advisory for Cisco MDS 9000 Series) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco MDS 9000 Series.
Jul 15 2015 (Cisco Issues Advisory for Cisco Prime Collaboration Deployment and Provisioning) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Cisco has issued an advisory for Cisco Prime Collaboration Deployment and Cisco Prime Collaboration Provisioning.
Jul 18 2015 (Novell Issues Fix for NetIQ Access Manager) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Novell has issued a fix for NetIQ Access Manager.
Aug 11 2015 (HP Issues Fix for HP-UX) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
HP has issued a fix for HP-UX 11.31.
Aug 21 2015 (NedtBSD Issues Fix) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Aug 27 2015 (McAfee Issues Fix for McAfee Email Gateway) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
McAfee has issued a fix for McAfee Email Gateway.
Aug 27 2015 (McAfee Issues Fix for McAfee Firewall Enterprise) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
McAfee has issued a fix for McAfee Firewall Enterprise.
Sep 22 2015 (IBM Issues Fix for IBM InfoSphere Information Server) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
IBM has issued a fix for IBM InfoSphere Information Server.
Oct 20 2015 (Oracle Issues Fix for Oracle Enterprise Manager) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Oracle Enterprise Manager.
Oct 20 2015 (Oracle Issues Fix for Oracle Supply Chain Products Suite) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Oracle Supply Chain Products Suite Oracle Agile Engineering Data Management.
Oct 21 2015 (Oracle Issues Fix for MySQL) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for MySQL.
Dec 1 2015 (Brocade Communications Systems Issues Fix for Brocade 5400/5600 vRouters) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Brocade Communications Systems has issued a fix for Brocade 5400/5600 vRouters.
Jan 19 2016 (Oracle Issues Fix for Oracle Fusion Middleware - Business Intelligence) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Oracle Fusion Middleware (Oracle Business Intelligence Enterprise Edition BI Platform).
Jan 20 2016 (Oracle Issues Fix for Sun Blade) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Sun Blade 6000 Ethernet Switched NEM 24P 10GE.
Apr 19 2016 (Oracle Issues Fix for Oracle JD Edwards EnterpriseOne) OpenSSL Alternative Certificate Chain Validation Flaw Lets Remote Users Forge Certificates
Oracle has issued a fix for Oracle JD Edwards EnterpriseOne.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC