CVE-2008-5077

OpenSSL < 0.9.8h - Certificate Chain Validation Bypass via Malformed SSL/TLS Signature

Title source: llm

Description

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

References (43)

Core 43

Core References

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1297

Vendor Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/704-1/

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1338

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6380

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9155

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=123859864430555&w=2

Vendor Advisory x_refsource_confirm

http://www.vmware.com/security/advisories/VMSA-2009-0004.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT3549

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/499827/100/0/threaded

Vendor Advisory vendor-advisory x_refsource_sunalert

http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1

Vendor Advisory x_refsource_confirm

http://www.openssl.org/news/secadv_20090107.txt

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0558

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1021523

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0362

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200902-02.xml

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=124277349419254&w=2

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0289

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35074

Vendor Advisory x_refsource_confirm

http://support.avaya.com/elmodocs2/security/ASA-2009-038.htm

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34211

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0040

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=127678688104458&w=2

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

Vendor Advisory vendor-advisory x_refsource_slackware

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0904

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0913

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33557

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33765

Various Sources x_refsource_misc

http://www.ocert.org/advisories/ocert-2008-016.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33673

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/502322/100/0/threaded

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33436

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35108

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

Various Sources x_refsource_confirm

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/33150

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2009-0004.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33338

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/33394

Product x_refsource_confirm

http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/39005

Scores

EPSS 0.0024

EPSS Percentile 46.8%

Details

CWE

CWE-20

Status published

Products (34)

openssl/openssl 0.9.1c

openssl/openssl 0.9.2b

openssl/openssl 0.9.3

openssl/openssl 0.9.3a

openssl/openssl 0.9.4

openssl/openssl 0.9.5 (3 CPE variants)

openssl/openssl 0.9.5a (3 CPE variants)

openssl/openssl 0.9.6 (4 CPE variants)

openssl/openssl 0.9.6a (4 CPE variants)

openssl/openssl 0.9.6b

... and 24 more

Published Jan 07, 2009

Tracked Since Feb 18, 2026