Amazon Linux AMI update for openssl098e

Published: 2012-05-02

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2012-2110
CWE-ID	CWE-119
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU32816

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2012-2110

CWE-ID: CWE-119 - Memory corruption

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

Mitigation

Update the affected packages:

i686:
    openssl098e-0.9.8e-17.8.amzn1.i686
    openssl098e-debuginfo-0.9.8e-17.8.amzn1.i686

src:
    openssl098e-0.9.8e-17.8.amzn1.src

x86_64:
    openssl098e-debuginfo-0.9.8e-17.8.amzn1.x86_64
    openssl098e-0.9.8e-17.8.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2012-73.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.