SB2012051504 - Out-of-bounds read in OpenSSL
Published: May 15, 2012 Updated: July 28, 2020
Security Bulletin ID
SB2012051504
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2012-2333)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption,. A remote attacker can perform a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Remediation
Install update from vendor's website.
References
- http://cvs.openssl.org/chngview?cn=22538
- http://cvs.openssl.org/chngview?cn=22547
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081460.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00020.html
- http://marc.info/?l=bugtraq&m=134919053717161&w=2
- http://marc.info/?l=bugtraq&m=136432043316835&w=2
- http://rhn.redhat.com/errata/RHSA-2012-0699.html
- http://rhn.redhat.com/errata/RHSA-2012-1306.html
- http://rhn.redhat.com/errata/RHSA-2012-1307.html
- http://rhn.redhat.com/errata/RHSA-2012-1308.html
- http://secunia.com/advisories/49116
- http://secunia.com/advisories/49208
- http://secunia.com/advisories/49324
- http://secunia.com/advisories/50768
- http://secunia.com/advisories/51312
- http://support.apple.com/kb/HT5784
- http://www.cert.fi/en/reports/2012/vulnerability641549.html
- http://www.debian.org/security/2012/dsa-2475
- http://www.kb.cert.org/vuls/id/737740
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:073
- http://www.openssl.org/news/secadv_20120510.txt
- http://www.securityfocus.com/bid/53476
- http://www.securitytracker.com/id?1027057
- https://bugzilla.redhat.com/show_bug.cgi?id=820686
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75525