| VID |
22122 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The OpenSSL has a buffer overflow vulnerability related to ASCII representation of integers.
SSL(Secure Sockets Layer) and TLS(Transport Layer Security) protocols are used to provide a secure connection between a client and a server for higher level protocols such as HTTP. OpenSSL is an open-source implementation of the SSL and TLS protocols that is included with many Linux distributions.
OpenSSL versions 0.9.6d and earlier, 0.9.7-beta2 and earlier, and the current development snapshots of 0.9.7 are vulnerable to a buffer overflow, caused by insufficient bound-checking of ASCII representations of integers on 64 bit platforms. By sending an overly large ASCII integer to an OpenSSL server, a remote attacker could overflow a buffer and execute arbitrary code with code with the privileges of the vulnerable application, service or client or cause the system to crash.
* Platforms affected:
OpenSSL 0.9.6d and earlier
OpenSSL 0.9.7-b2 and earlier
* Note : this check item solely relies on the OpenSSL version number.
* References:
http://online.securityfocus.com/bid/5364
http://www.cert.org/advisories/CA-2002-23.html |
| Recommendation |
Upgrade to version 0.9.6e (0.9.7beta3) newer.
-- OR --
Apply the patches provided by your vendors.
* Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt
* Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt |
| Related URL |
CVE-2002-0655 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
