Main Vulnerability Database SB2012031308

SB2012031308 - Cryptographic issues in openssl (Alpine package)

Published: March 13, 2012

Security Bulletin ID SB2012031308

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2012-0884)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=2dc51d3ec8d878207fb0ff7a42ad982404ec35cf
https://git.alpinelinux.org/aports/commit/?id=fe0c3a45c7d39fb25663a03d32ee2aaa6a6d8c3e
https://git.alpinelinux.org/aports/commit/?id=785a954fa1b51678cf2c37b1124799d66eb69f61