SB2012042401 - Input validation error in OpenSSL

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2012-2131)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

Remediation

Install update from vendor's website.

References

• http://cvs.openssl.org/chngview?cn=22479
• http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
• http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
• http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00014.html
• http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00015.html
• http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00007.html
• http://marc.info/?l=bugtraq&m=133728068926468&w=2
• http://marc.info/?l=bugtraq&m=134039053214295&w=2
• http://secunia.com/advisories/48895
• http://secunia.com/advisories/48956
• http://secunia.com/advisories/57353
• http://support.apple.com/kb/HT5784
• http://www.debian.org/security/2012/dsa-2454
• http://www.mandriva.com/security/advisories?name=MDVSA-2012:064
• http://www.openssl.org/news/secadv_20120424.txt
• http://www.openwall.com/lists/oss-security/2012/04/24/1
• http://www.securityfocus.com/bid/53212
• http://www.securitytracker.com/id?1026957
• http://www.ubuntu.com/usn/USN-1428-1
• http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
• https://exchange.xforce.ibmcloud.com/vulnerabilities/75099