| VID |
22487 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8o / 1.0.0a. Such versions have the following vulnerabilities :
- The mishandling of Cryptographic Message Syntax structures containing an OriginatorInfo element can lead to data being written to invalid memory addresses
or memory being freed up twice. (CVE-2010-0742)
- An uninitialized buffer of undefined length is returned when verification recovery fails for RSA keys. This allows an attacker to bypass key checks in applications
calling the function EVP_PKEY_verify_recover(). Note this function is not used by OpenSSLcode itself. (CVE-2010-1633)
* References:
http://www.openssl.org/news/secadv_20100601.txt |
| Recommendation |
Upgrade to the latest version of OpenSSL (0.9.8o / 1.0.0a or later) |
| Related URL |
CVE-2010-0742,CVE-2010-1633 (CVE) |
| Related URL |
40502,40503 (SecurityFocus) |
| Related URL |
(ISS) |
|
