| VID |
22225 |
| Severity |
30 |
| Port |
443 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The OpenSSL versions contains a Denial of Service Vulnerability due to improper parsing of ASN.1 tag.
OpenSSL is an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. The versions 0.9.7b and earlier and 0.9.6j and earlier of OpenSSL are vulnerable to a denial of service vulnerability, caused by improper parsing of ASN.1 tag.
By sending a specially-crafted SSL client certificate with certain ASN.1 tag values, a remote attacker can cause a denial of service(crash).
* Note: This check solely relied on the banner of the remote OpenSSL to assess this vulnerability, so this might be a false positive.
* References:
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://www.openssl.org/news/secadv_20030930.txt
http://www.kb.cert.org/vuls/id/380864
http://www.kb.cert.org/vuls/id/255484
* Platforms Affected:
OpenSSL 0.9.6j and earlier
OpenSSL 0.9.7b and earlier |
| Recommendation |
Upgrade to the latest OpenSSL package as specified by your vendor from
http://www.securityfocus.com/bid/8732/solution
-- OR --
Upgrade to the latest version of OpenSSL(0.9.7c or later or 0.9.6k or later), as listed in OpenSSL Security Advisory [30 September 2003] at http://www.openssl.org/news/secadv_20030930.txt |
| Related URL |
CVE-2003-0543,CVE-2003-0544 (CVE) |
| Related URL |
8732 (SecurityFocus) |
| Related URL |
13316 (ISS) |
|
