| VID |
22483 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8n. Such versions have the following vulnerabilities
- Kerberos-enabled versions of OpenSSL do not check the return value when Kerberos configuration files cannot be opened, leading to a crash. (CVE-2010-0433)
- Rejecting a SSL/TLS record with an incorrect version number can lead to a crash. This only affects version 0.9.8m if a 'short' is 16 bits. Otherwise, it affects all versions back to and including 0.9.8f. (CVE-2010-0740)
* References:
http://www.openssl.org/news/secadv_20100324.txt
http://marc.info/?l=openssl-announce&m=126945948000371&w=2
* Platforms Affected:
OpenSSL Project OpenSSL 0.9.8n prior |
| Recommendation |
Upgrade to the latest version of OpenSSL (0.9.8n or later) |
| Related URL |
CVE-2010-0433,CVE-2010-0740 (CVE) |
| Related URL |
39013 (SecurityFocus) |
| Related URL |
(ISS) |
|
