#VU32820 Cryptographic issues in OpenSSL - CVE-2012-0884


| Updated: 2020-07-28

Vulnerability identifier: #VU32820

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-0884

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 0.9.0b, 0.9.1c - 0.9.1b, 0.9.2b, 0.9.3a - 0.9.3, 0.9.4, 0.9.5a - 0.9.5, 0.9.6g - 0.9.6-15, 0.9.7g - 0.9.7, 0.9.8m - 0.9.8p, 1.0.0c - 1.0.0

External links
https://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-April/077221.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
https://marc.info/?l=bugtraq&m=133728068926468&w=2
https://marc.info/?l=bugtraq&m=133951357207000&w=2
https://marc.info/?l=bugtraq&m=134039053214295&w=2
https://rhn.redhat.com/errata/RHSA-2012-0426.html
https://rhn.redhat.com/errata/RHSA-2012-0488.html
https://rhn.redhat.com/errata/RHSA-2012-0531.html
https://rhn.redhat.com/errata/RHSA-2012-1306.html
https://rhn.redhat.com/errata/RHSA-2012-1307.html
https://rhn.redhat.com/errata/RHSA-2012-1308.html
https://secunia.com/advisories/48580
https://secunia.com/advisories/48895
https://secunia.com/advisories/48916
https://secunia.com/advisories/57353
https://www.debian.org/security/2012/dsa-2454
https://www.kb.cert.org/vuls/id/737740
https://www.openssl.org/news/secadv_20120312.txt
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
https://downloads.avaya.com/css/P8/documents/100162507
https://hermes.opensuse.org/messages/14330767

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Cryptographic issues in openssl (Alpine package)
Cryptographic issues in OpenSSL