Vulnerability identifier: #VU56064
Vulnerability risk: Medium
CVSSv3.1:
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
OpenSSL
Server applications /
Encryption software
Vendor: OpenSSL Software Foundation
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenSSL: 1.0.2 - 1.0.2y, 1.1.1 - 1.1.1k
CPE
External links
http://www.openssl.org/news/secadv/20210824.txt
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?