Pri radu programskog alata OpenSSL otkriven je sigurnosni propust koji omogućuje udaljenom napadaču pokretanje napada uskraćivanja usluga te pregled određenih podataka.
Otkriveni nedostatak posljedica je neispravnosti u datoteci ssl/t1_lib.c u kojoj dolazi do neodgovarajućeg upravljanja memorijom pri radu s posebno oblikovanom "ClientHello" porukom.
Posljedica:
Uočenu ranjivost udaljeni napadač može iskoristiti za pokretanje napada uskraćivanja usluga te eventualno za otkrivanje osjetljivih informacija.
Rješenje:
Svim korisnicima preporučuje se primjena uobičajene nadogradnje.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02896506
Version: 1
HPSBUX02689 SSRT100494 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-07-06
Last Updated: 2011-07-06
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX OpenSSL. This vulnerability could be exploited remotely to ceate a Denial of Service (DoS).
References: CVE-2011-0014
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL before vA.00.09.08r.
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2011-0014
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided upgrades to resolve this vulnerability.
The upgrades are available from the following location via FTP Access.
ftp.usa.hp.com (15.192.32.78)
Login: ssl098r
Password: 0penSS1! (NOTE: CASE-sensitive)
ftp://ssl098r:0penSS1!@ftp.usa.hp.com/
ftp://ssl098r:0penSS1!@15.192.32.78/
HP-UX Release
Depot Name
B.11.11 PA (32 and 64)
OpenSSL_A.00.09.08r.001_HP-UX_B.11.11_32+64.depot
B.11.23 (PA and IA)
OpenSSL_A.00.09.08r.002_HP-UX_B.11.23_IA-PA.depot
B.11.31 (PA and IA)
OpenSSL_A.00.09.08r.003_HP-UX_B.11.31_IA-PA.depot
MANUAL ACTIONS: Yes - Update
Install OpenSSL A.00.09.08r or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08r.001 or subsequent
HP-UX B.11.23
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08r.002 or subsequent
HP-UX B.11.31
==================
openssl.OPENSSL-CER
openssl.OPENSSL-CONF
openssl.OPENSSL-DOC
openssl.OPENSSL-INC
openssl.OPENSSL-LIB
openssl.OPENSSL-MAN
openssl.OPENSSL-MIS
openssl.OPENSSL-PRNG
openssl.OPENSSL-PVT
openssl.OPENSSL-RUN
openssl.OPENSSL-SRC
action: install revision A.00.09.08r.003 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 6 July 2011 Initial release
Posljednje sigurnosne preporuke