CVE-2015-0289

OpenSSL < 0.9.8ze, 1.0.0 < 1.0.0r, 1.0.1 < 1.0.1m, 1.0.2 < 1.0.2a - Denial of Service via PKCS#7 ContentInfo Handling

Title source: llm
STIX 2.1

Description

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.

References (44)

Core 44
Core References
Mailing List, Third Party Advisory vendor-advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.html
Third Party Advisory, VDB Entry vdb-entry
http://www.securitytracker.com/id/1031929
Mailing List, Third Party Advisory vendor-advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201503-11
Vendor Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-0715.html
Vendor Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-0716.html
Vendor Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-0752.html
Vendor Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2015-0800.html
Third Party Advisory vendor-advisory
http://www.debian.org/security/2015/dsa-3197
Vendor Advisory vendor-advisory
http://www.ubuntu.com/usn/USN-2537-1
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/73231

Scores

EPSS 0.0579
EPSS Percentile 90.6%

Details

Status published
Products (33)
openssl/openssl 1.0.0
openssl/openssl 1.0.0a
openssl/openssl 1.0.0b
openssl/openssl 1.0.0c
openssl/openssl 1.0.0d
openssl/openssl 1.0.0e
openssl/openssl 1.0.0f
openssl/openssl 1.0.0g
openssl/openssl 1.0.0h
openssl/openssl 1.0.0i
... and 23 more
Published Mar 19, 2015
Tracked Since Feb 18, 2026