Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Производитель ПО
Наименование ПО
OpenSSL
(0.9.6, 0.9.6k, 0.9.7, 0.9.7c)
Описание
Целочисленное переполнение в OpenSSL позволяет злоумышленникам, действующим удаленно, вызвать отказ в обслуживании (аварийное завершение), используя сертификат SSL-клиента с некоторым значением тэга ASN.1.
Как исправить
Используйте рекомендации производителя:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl
Ссылки
Security Focus (BID: 8732): http://www.securityfocus.com/bid/8732/
RedHat (RHSA-2003:291): http://www.redhat.com/support/errata/RHSA-2003-291.html
RedHat (OpenSSL ASN.1 protocol crashes): http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
MISC (http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm): http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
REDHAT (RHSA-2003:292): http://www.redhat.com/support/errata/RHSA-2003-292.html
ENGARDE (ESA-20030930-027): http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
DEBIAN (DSA-393): http://www.debian.org/security/2003/dsa-393
DEBIAN (DSA-394): http://www.debian.org/security/2003/dsa-394
OVAL (OVAL4254): http://oval.mitre.org/oval/definitions/data/oval4254.html
CERT (CA-2003-26): http://www.cert.org/advisories/CA-2003-26.html
CERT-VN (VU#255484): http://www.kb.cert.org/vuls/id/255484
http://www-1.ibm.com/support/docview.wss?uid=swg21247112
FRSIRT (ADV-2006-3900): http://www.frsirt.com/english/advisories/2006/3900
OVAL (oval:org.mitre.oval:def:4254): http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4254
BID (8732): http://www.securityfocus.com/bid/8732
CISCO: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl
RedHat (RHSA-2003:291): http://www.redhat.com/support/errata/RHSA-2003-291.html
RedHat (OpenSSL ASN.1 protocol crashes): http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
MISC (http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm): http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
REDHAT (RHSA-2003:292): http://www.redhat.com/support/errata/RHSA-2003-292.html
ENGARDE (ESA-20030930-027): http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
DEBIAN (DSA-393): http://www.debian.org/security/2003/dsa-393
DEBIAN (DSA-394): http://www.debian.org/security/2003/dsa-394
OVAL (OVAL4254): http://oval.mitre.org/oval/definitions/data/oval4254.html
CERT (CA-2003-26): http://www.cert.org/advisories/CA-2003-26.html
CERT-VN (VU#255484): http://www.kb.cert.org/vuls/id/255484
http://www-1.ibm.com/support/docview.wss?uid=swg21247112
FRSIRT (ADV-2006-3900): http://www.frsirt.com/english/advisories/2006/3900
OVAL (oval:org.mitre.oval:def:4254): http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4254
BID (8732): http://www.securityfocus.com/bid/8732
CISCO: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030930-ssl