CVE-2006-2940
First published: Thu Sep 28 2006(Updated: )
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | =0.9.5a-beta2 | |
| OpenSSL OpenSSL | =0.9.8b | |
| OpenSSL OpenSSL | =0.9.6i | |
| OpenSSL OpenSSL | =0.9.3 | |
| OpenSSL OpenSSL | =0.9.8c | |
| OpenSSL OpenSSL | =0.9.7c | |
| OpenSSL OpenSSL | =0.9.5-beta1 | |
| OpenSSL OpenSSL | =0.9.6d | |
| OpenSSL OpenSSL | =0.9.1c | |
| OpenSSL OpenSSL | =0.9.6 | |
| OpenSSL OpenSSL | =0.9.7j | |
| OpenSSL OpenSSL | =0.9.6a | |
| OpenSSL OpenSSL | =0.9.4 | |
| OpenSSL OpenSSL | =0.9.6a-beta2 | |
| OpenSSL OpenSSL | =0.9.5a | |
| OpenSSL OpenSSL | =0.9.6f | |
| OpenSSL OpenSSL | =0.9.6-beta3 | |
| OpenSSL OpenSSL | =0.9.6l | |
| OpenSSL OpenSSL | =0.9.7k | |
| OpenSSL OpenSSL | =0.9.7g | |
| OpenSSL OpenSSL | =0.9.6e | |
| OpenSSL OpenSSL | =0.9.7d | |
| OpenSSL OpenSSL | =0.9.7 | |
| OpenSSL OpenSSL | =0.9.6b | |
| OpenSSL OpenSSL | =0.9.7e | |
| OpenSSL OpenSSL | =0.9.7b | |
| OpenSSL OpenSSL | =0.9.6a-beta1 | |
| OpenSSL OpenSSL | =0.9.6k | |
| OpenSSL OpenSSL | =0.9.8a | |
| OpenSSL OpenSSL | =0.9.6g | |
| OpenSSL OpenSSL | =0.9.6-beta2 | |
| OpenSSL OpenSSL | =0.9.3a | |
| OpenSSL OpenSSL | =0.9.6h | |
| OpenSSL OpenSSL | =0.9.7i | |
| OpenSSL OpenSSL | =0.9.7h | |
| OpenSSL OpenSSL | =0.9.6j | |
| OpenSSL OpenSSL | =0.9.8 | |
| OpenSSL OpenSSL | =0.9.7a | |
| OpenSSL OpenSSL | =0.9.6c | |
| OpenSSL OpenSSL | =0.9.6-beta1 | |
| OpenSSL OpenSSL | =0.9.6m | |
| OpenSSL OpenSSL | =0.9.5-beta2 | |
| OpenSSL OpenSSL | =0.9.2b | |
| OpenSSL OpenSSL | =0.9.5 | |
| OpenSSL OpenSSL | =0.9.5a-beta1 | |
| OpenSSL OpenSSL | =0.9.6a-beta3 | |
| OpenSSL OpenSSL | =0.9.7f |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openssl.org/news/secadv_20060928.txt
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
- http://www.debian.org/security/2006/dsa-1185
- http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
- http://www.redhat.com/support/errata/RHSA-2006-0695.html
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
- http://www.ubuntu.com/usn/usn-353-1
- http://www.securityfocus.com/bid/20247
- http://secunia.com/advisories/22130
- http://secunia.com/advisories/22094
- http://secunia.com/advisories/22165
- http://secunia.com/advisories/22186
- http://secunia.com/advisories/22193
- http://secunia.com/advisories/22207
- http://secunia.com/advisories/22259
- http://secunia.com/advisories/22260
- http://www.uniras.gov.uk/niscc/docs/re-20060928-00661.pdf?lang=en
- http://kolab.org/security/kolab-vendor-notice-11.txt
- http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.html
- http://www.novell.com/linux/security/advisories/2006_58_openssl.html
- http://www.trustix.org/errata/2006/0054
- http://securitytracker.com/id?1016943
- http://secunia.com/advisories/22166
- http://secunia.com/advisories/22172
- http://secunia.com/advisories/22212
- http://secunia.com/advisories/22240
- http://secunia.com/advisories/22216
- http://secunia.com/advisories/22116
- http://secunia.com/advisories/22220
- http://openvpn.net/changelog.html
- http://www.serv-u.com/releasenotes/
- http://openbsd.org/errata.html#openssl2
- http://secunia.com/advisories/22284
- http://secunia.com/advisories/22330
- http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
- http://www.arkoon.fr/upload/alertes/37AK-2006-06-FR-1.1_FAST360_OPENSSL_ASN1.pdf
- http://www.debian.org/security/2006/dsa-1195
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
- http://www.novell.com/linux/security/advisories/2006_24_sr.html
- http://www.ubuntu.com/usn/usn-353-2
- http://www.osvdb.org/29261
- http://secunia.com/advisories/22385
- http://secunia.com/advisories/22460
- http://security.gentoo.org/glsa/glsa-200610-11.xml
- http://secunia.com/advisories/22500
- http://secunia.com/advisories/22544
- http://www.arkoon.fr/upload/alertes/41AK-2006-08-FR-1.1_SSL360_OPENSSL_ASN1.pdf
- http://secunia.com/advisories/22626
- http://secunia.com/advisories/22487
- http://secunia.com/advisories/22671
- http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
- http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
- http://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.html
- http://secunia.com/advisories/22758
- http://secunia.com/advisories/22799
- http://secunia.com/advisories/22772
- http://secunia.com/advisories/23038
- http://docs.info.apple.com/article.html?artnum=304829
- http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
- http://www.us-cert.gov/cas/techalerts/TA06-333A.html
- http://secunia.com/advisories/23155
- http://secunia.com/advisories/22298
- http://support.avaya.com/elmodocs2/security/ASA-2006-260.htm
- http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
- http://secunia.com/advisories/23309
- http://secunia.com/advisories/23280
- http://secunia.com/advisories/23340
- http://secunia.com/advisories/23351
- http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html
- http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
- http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html
- http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html
- http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html
- http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
- http://secunia.com/advisories/23680
- http://secunia.com/advisories/23794
- http://securitytracker.com/id?1017522
- http://secunia.com/advisories/23915
- http://secunia.com/advisories/24950
- http://secunia.com/advisories/24930
- http://issues.rpath.com/browse/RPL-613
- http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
- https://issues.rpath.com/browse/RPL-1633
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:172
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
- http://www.securityfocus.com/bid/22083
- http://secunia.com/advisories/25889
- http://secunia.com/advisories/26329
- http://secunia.com/advisories/26893
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200585-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201534-1
- http://lists.vmware.com/pipermail/security-announce/2008/000008.html
- http://www.vmware.com/security/advisories/VMSA-2008-0005.html
- http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
- http://www.vmware.com/support/player/doc/releasenotes_player.html
- http://www.vmware.com/support/player2/doc/releasenotes_player2.html
- http://www.vmware.com/support/server/doc/releasenotes_server.html
- http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
- http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
- http://www.securityfocus.com/bid/28276
- http://secunia.com/advisories/30124
- http://secunia.com/advisories/31531
- http://support.attachmate.com/techdocs/2374.html
- http://www.redhat.com/support/errata/RHSA-2008-0629.html
- http://secunia.com/advisories/31492
- http://www.vupen.com/english/advisories/2007/2315
- http://www.vupen.com/english/advisories/2006/3860
- http://www.vupen.com/english/advisories/2006/4019
- http://www.vupen.com/english/advisories/2006/4264
- http://www.vupen.com/english/advisories/2006/4417
- http://www.vupen.com/english/advisories/2007/1401
- http://www.vupen.com/english/advisories/2006/4750
- http://www.vupen.com/english/advisories/2006/4329
- http://www.vupen.com/english/advisories/2006/3936
- https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00967144
- http://www.vupen.com/english/advisories/2006/3902
- http://www.vupen.com/english/advisories/2006/4401
- http://www.vupen.com/english/advisories/2006/4327
- http://www.vupen.com/english/advisories/2006/3820
- http://www.vupen.com/english/advisories/2006/4980
- http://www.vupen.com/english/advisories/2007/0343
- http://www.vupen.com/english/advisories/2006/3869
- http://www.vupen.com/english/advisories/2008/0905/references
- http://www.vupen.com/english/advisories/2006/4036
- http://www.vupen.com/english/advisories/2008/2396
- http://www.vupen.com/english/advisories/2007/2783
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
- http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
- http://marc.info/?l=bugtraq&m=130497311408250&w=2
- http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html
- http://marc.info/?l=bind-announce&m=116253119512445&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29230
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10311
- http://www.securityfocus.com/archive/1/489739/100/0/threaded
- http://www.securityfocus.com/archive/1/456546/100/200/threaded
- http://www.securityfocus.com/archive/1/447393/100/0/threaded
- http://www.securityfocus.com/archive/1/447318/100/0/threaded
- collector/nvd-historical
- vendor/openssl
- product/openssl
- canonical/openssl openssl
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- version/openssl openssl/0.9.5a-beta2
- version/openssl openssl/0.9.8b
- version/openssl openssl/0.9.6i
- version/openssl openssl/0.9.3
- version/openssl openssl/0.9.8c
- version/openssl openssl/0.9.7c
- version/openssl openssl/0.9.5-beta1
- version/openssl openssl/0.9.6d
- version/openssl openssl/0.9.1c
- version/openssl openssl/0.9.6
- version/openssl openssl/0.9.7j
- version/openssl openssl/0.9.6a
- version/openssl openssl/0.9.4
- version/openssl openssl/0.9.6a-beta2
- version/openssl openssl/0.9.5a
- version/openssl openssl/0.9.6f
- version/openssl openssl/0.9.6-beta3
- version/openssl openssl/0.9.6l
- version/openssl openssl/0.9.7k
- version/openssl openssl/0.9.7g
- version/openssl openssl/0.9.6e
- version/openssl openssl/0.9.7d
- version/openssl openssl/0.9.7
- version/openssl openssl/0.9.6b
- version/openssl openssl/0.9.7e
- version/openssl openssl/0.9.7b
- version/openssl openssl/0.9.6a-beta1
- version/openssl openssl/0.9.6k
- version/openssl openssl/0.9.8a
- version/openssl openssl/0.9.6g
- version/openssl openssl/0.9.6-beta2
- version/openssl openssl/0.9.3a
- version/openssl openssl/0.9.6h
- version/openssl openssl/0.9.7i
- version/openssl openssl/0.9.7h
- version/openssl openssl/0.9.6j
- version/openssl openssl/0.9.8
- version/openssl openssl/0.9.7a
- version/openssl openssl/0.9.6c
- version/openssl openssl/0.9.6-beta1
- version/openssl openssl/0.9.6m
- version/openssl openssl/0.9.5-beta2
- version/openssl openssl/0.9.2b
- version/openssl openssl/0.9.5
- version/openssl openssl/0.9.5a-beta1
- version/openssl openssl/0.9.6a-beta3
- version/openssl openssl/0.9.7f