CVE-2015-0287
First published: Mon Mar 16 2015(Updated: )
Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected. This issue affects OpenSSL versions: 1.0.2, 1.0.1, 1.0.0, and 0.9.8. This issue is fixed in versions: 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf. Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Emilia Käsper as the original reporter.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openssl | <1.0.2 | 1.0.2 |
| redhat/openssl | <1.0.1 | 1.0.1 |
| redhat/openssl | <0.9.8 | 0.9.8 |
| OpenSSL libcrypto | <=0.9.8ze | |
| OpenSSL libcrypto | =1.0.0 | |
| OpenSSL libcrypto | =1.0.0a | |
| OpenSSL libcrypto | =1.0.0b | |
| OpenSSL libcrypto | =1.0.0c | |
| OpenSSL libcrypto | =1.0.0d | |
| OpenSSL libcrypto | =1.0.0e | |
| OpenSSL libcrypto | =1.0.0f | |
| OpenSSL libcrypto | =1.0.0g | |
| OpenSSL libcrypto | =1.0.0h | |
| OpenSSL libcrypto | =1.0.0i | |
| OpenSSL libcrypto | =1.0.0j | |
| OpenSSL libcrypto | =1.0.0k | |
| OpenSSL libcrypto | =1.0.0l | |
| OpenSSL libcrypto | =1.0.0m | |
| OpenSSL libcrypto | =1.0.0n | |
| OpenSSL libcrypto | =1.0.0o | |
| OpenSSL libcrypto | =1.0.0p | |
| OpenSSL libcrypto | =1.0.0q | |
| OpenSSL libcrypto | =1.0.1 | |
| OpenSSL libcrypto | =1.0.1a | |
| OpenSSL libcrypto | =1.0.1b | |
| OpenSSL libcrypto | =1.0.1c | |
| OpenSSL libcrypto | =1.0.1d | |
| OpenSSL libcrypto | =1.0.1e | |
| OpenSSL libcrypto | =1.0.1f | |
| OpenSSL libcrypto | =1.0.1g | |
| OpenSSL libcrypto | =1.0.1h | |
| OpenSSL libcrypto | =1.0.1i | |
| OpenSSL libcrypto | =1.0.1j | |
| OpenSSL libcrypto | =1.0.1k | |
| OpenSSL libcrypto | =1.0.1l | |
| OpenSSL libcrypto | =1.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://openssl.org/news/secadv_20150319.txt
- https://access.redhat.com/articles/1384453
- https://git.openssl.org/?p=openssl.git;a=commitdiff;h=b717b083073b6cacc0a5e2397b661678aff7ae7f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1196738
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1203855
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1203856
- https://rhn.redhat.com/errata/RHSA-2015-0715.html
- https://rhn.redhat.com/errata/RHSA-2015-0716.html
- https://rhn.redhat.com/errata/RHSA-2015-0752.html
- https://rhn.redhat.com/errata/RHSA-2015-0800.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1202380
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680
- http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00001.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html
- http://lists.opensuse.org/opensuse-updates/2015-03/msg00062.html
- http://marc.info/?l=bugtraq&m=142841429220765&w=2
- http://marc.info/?l=bugtraq&m=143213830203296&w=2
- http://marc.info/?l=bugtraq&m=143748090628601&w=2
- http://marc.info/?l=bugtraq&m=144050155601375&w=2
- http://marc.info/?l=bugtraq&m=144050297101809&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0715.html
- http://rhn.redhat.com/errata/RHSA-2015-0716.html
- http://rhn.redhat.com/errata/RHSA-2015-0752.html
- http://rhn.redhat.com/errata/RHSA-2015-0800.html
- http://support.apple.com/kb/HT204942
- http://www.debian.org/security/2015/dsa-3197
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:063
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.securityfocus.com/bid/73227
- http://www.securitytracker.com/id/1031929
- http://www.ubuntu.com/usn/USN-2537-1
- https://bto.bluecoat.com/security-advisory/sa92
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git;a=commit;h=b717b083073b6cacc0a5e2397b661678aff7ae7f
- https://kc.mcafee.com/corporate/index?page=content&id=SB10110
- https://security.gentoo.org/glsa/201503-11
- https://support.apple.com/HT205212
- https://support.apple.com/HT205267
- https://support.citrix.com/article/CTX216642
- https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.asc
- https://www.openssl.org/news/secadv_20150319.txt
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=b717b083073b6cacc0a5e2397b661678aff7ae7f
Frequently Asked Questions
What is the severity of CVE-2015-0287?
CVE-2015-0287 is categorized as a high severity vulnerability due to its potential for memory corruption exploits.
How do I fix CVE-2015-0287?
To fix CVE-2015-0287, update your OpenSSL version to 1.0.2 or 1.0.1 or any later version that resolves this issue.
What versions of OpenSSL are affected by CVE-2015-0287?
CVE-2015-0287 affects OpenSSL versions prior to 1.0.2 and includes all versions of 1.0.1 and earlier.
What kind of attacks can exploit CVE-2015-0287?
CVE-2015-0287 can lead to memory corruption, which could potentially allow an attacker to execute arbitrary code.
Is CVE-2015-0287 likely to be exploited in the wild?
While CVE-2015-0287 has the potential for exploitation, it is believed to be rare due to the specific conditions required.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-0287
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/0.9.8ze
- version/openssl libcrypto/1.0.0
- version/openssl libcrypto/1.0.0a
- version/openssl libcrypto/1.0.0b
- version/openssl libcrypto/1.0.0c
- version/openssl libcrypto/1.0.0d
- version/openssl libcrypto/1.0.0e
- version/openssl libcrypto/1.0.0f
- version/openssl libcrypto/1.0.0g
- version/openssl libcrypto/1.0.0h
- version/openssl libcrypto/1.0.0i
- version/openssl libcrypto/1.0.0j
- version/openssl libcrypto/1.0.0k
- version/openssl libcrypto/1.0.0l
- version/openssl libcrypto/1.0.0m
- version/openssl libcrypto/1.0.0n
- version/openssl libcrypto/1.0.0o
- version/openssl libcrypto/1.0.0p
- version/openssl libcrypto/1.0.0q
- version/openssl libcrypto/1.0.1
- version/openssl libcrypto/1.0.1a
- version/openssl libcrypto/1.0.1b
- version/openssl libcrypto/1.0.1c
- version/openssl libcrypto/1.0.1d
- version/openssl libcrypto/1.0.1e
- version/openssl libcrypto/1.0.1f
- version/openssl libcrypto/1.0.1g
- version/openssl libcrypto/1.0.1h
- version/openssl libcrypto/1.0.1i
- version/openssl libcrypto/1.0.1j
- version/openssl libcrypto/1.0.1k
- version/openssl libcrypto/1.0.1l
- version/openssl libcrypto/1.0.2