First published: Fri Mar 18 2011(Updated: )
The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 does not configure the RANDFILE and HOME environment variables for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OTRS | <=2.3.3 | |
OTRS | =0.5-beta1 | |
OTRS | =0.5-beta2 | |
OTRS | =0.5-beta3 | |
OTRS | =0.5-beta4 | |
OTRS | =0.5-beta5 | |
OTRS | =0.5-beta6 | |
OTRS | =0.5-beta7 | |
OTRS | =0.5-beta8 | |
OTRS | =1.0-rc1 | |
OTRS | =1.0-rc2 | |
OTRS | =1.0-rc3 | |
OTRS | =1.0.0 | |
OTRS | =1.0.1 | |
OTRS | =1.0.2 | |
OTRS | =1.1-rc1 | |
OTRS | =1.1.0-rc1 | |
OTRS | =1.1.0-rc2 | |
OTRS | =1.1.1 | |
OTRS | =1.1.2 | |
OTRS | =1.1.3 | |
OTRS | =1.1.4 | |
OTRS | =1.2.0-beta1 | |
OTRS | =1.2.0-beta2 | |
OTRS | =1.2.0-beta3 | |
OTRS | =1.2.1 | |
OTRS | =1.2.2 | |
OTRS | =1.2.3 | |
OTRS | =1.2.4 | |
OTRS | =1.3.0-beta1 | |
OTRS | =1.3.0-beta2 | |
OTRS | =1.3.0-beta3 | |
OTRS | =1.3.0-beta4 | |
OTRS | =1.3.1 | |
OTRS | =1.3.2 | |
OTRS | =1.3.3 | |
OTRS | =2.0.0 | |
OTRS | =2.0.0-beta1 | |
OTRS | =2.0.0-beta2 | |
OTRS | =2.0.0-beta4 | |
OTRS | =2.0.0-beta5 | |
OTRS | =2.0.0-beta6 | |
OTRS | =2.0.1 | |
OTRS | =2.0.2 | |
OTRS | =2.0.3 | |
OTRS | =2.0.4 | |
OTRS | =2.0.5 | |
OTRS | =2.1.0-beta1 | |
OTRS | =2.1.0-beta2 | |
OTRS | =2.1.1 | |
OTRS | =2.1.2 | |
OTRS | =2.1.3 | |
OTRS | =2.1.4 | |
OTRS | =2.1.5 | |
OTRS | =2.1.6 | |
OTRS | =2.1.7 | |
OTRS | =2.1.8 | |
OTRS | =2.1.9 | |
OTRS | =2.2.0-beta1 | |
OTRS | =2.2.0-beta2 | |
OTRS | =2.2.0-beta3 | |
OTRS | =2.2.0-beta4 | |
OTRS | =2.2.0-rc1 | |
OTRS | =2.2.1 | |
OTRS | =2.2.2 | |
OTRS | =2.2.3 | |
OTRS | =2.2.4 | |
OTRS | =2.2.5 | |
OTRS | =2.2.6 | |
OTRS | =2.2.7 | |
OTRS | =2.2.8 | |
OTRS | =2.2.9 | |
OTRS | =2.3.0-beta1 | |
OTRS | =2.3.0-beta2 | |
OTRS | =2.3.0-beta3 | |
OTRS | =2.3.0-beta4 | |
OTRS | =2.3.0-rc1 | |
OTRS | =2.3.1 | |
OTRS | =2.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2009-5057 is categorized as a high severity vulnerability due to its impact on cryptographic operations.
To fix CVE-2009-5057, update to OTRS version 2.3.4 or later, which properly configures the RANDFILE and HOME environment variables for OpenSSL.
CVE-2009-5057 affects OTRS versions prior to 2.3.4 and several beta versions from 0.5 to 2.3.2.
CVE-2009-5057 can be exploited by remote attackers to potentially decrypt email messages due to compromised cryptographic operations.
A temporary workaround for CVE-2009-5057 involves manually configuring the RANDFILE and HOME environment variables for OpenSSL prior to invoking OTRS.