OpenSSL security team reports:

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.

A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

< 1.0.1_6

Problem Description:

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer.

Impact:

A malicious peer could exploit the NULL pointer dereference crash, causing a denial of service attack.

ge 12.1 lt 12.1_4

ge 1.1.1,1 lt 1.1.1g,1

OpenSSL reports:

Memory corruption in the ASN.1 encoder

Padding oracle in AES-NI CBC MAC check

EVP_EncodeUpdate overflow

EVP_EncryptUpdate overflow

ASN.1 BIO excessive memory allocation

EBCDIC overread (OpenSSL only)

< 1.0.2_11

< 1.0.1e_8

ge 2.3.0 lt 2.3.4

< 2.2.7

< 2.3.4

ge 10.3 lt 10.3_2

ge 10.2 lt 10.2_16

ge 10.1 lt 10.1_33

ge 9.3 lt 9.3_41

The OpenSSL Project reports:

A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. [CVE-2014-3513].

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. [CVE-2014-3567].

OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.

Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE [CVE-2014-3566].

When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. [CVE-2014-3568].

ge 1.0.1 lt 1.0.1_16

ge 1.0.1 lt 1.0.1j

< 1.0.1e_1

ge 8.4 lt 8.4_17

ge 9.1 lt 9.1_20

ge 9.2 lt 9.2_13

ge 9.3 lt 9.3_3

ge 10.0 lt 10.0_10

OpenSSL reports:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

ge 1.0.2_2 lt 1.0.2_4

ge 1.0.2b lt 1.0.2d

Problem Description

When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.

Impact

OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.

Workaround

No workaround is available.

ge 6.1 lt 6.1_6

ge 6.0 lt 6.0_11

ge 5.5 lt 5.5_4

ge 5.4 lt 5.4_18

ge 5.3 lt 5.3_33

< 4.11_21

gt 0.9.8 lt 0.9.8c_9

< 0.9.7k_0

Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx, are prone to a race condition which may allow a remote attacker to inject random data into other connections.

ge 1.0.1 lt 1.0.1_11

ge 1.0.1 le 1.0.1g

ge 10.0 lt 10.0_2

Mitre reports:

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

< 1.0.2_14

Problem Description:

Several problems have been found in OpenSSL:

• During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop.
• A buffer overflow exists in the SSL_get_shared_ciphers function.
• A NULL pointer may be dereferenced in the SSL version 2 client code.

In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used.

Impact:

Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.

An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.

A malicious SSL server can cause clients connecting using SSL version 2 to crash.

Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack.

Workaround:

No workaround is available, but not all of the vulnerabilities mentioned affect all applications.

< 0.9.7l_0

ge 0.9.8 lt 0.9.8d_0

ge 6.1 lt 6.1_9

ge 6.0 lt 6.0_14

ge 5.5 lt 5.5_7

ge 5.4 lt 5.4_21

ge 5.3 lt 5.3_36

ge 4.11 lt 4.11_24

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.

ge 10.3 lt 10.3_12

ge 10.2 lt 10.2_25

ge 10.1 lt 10.1_42

ge 9.3 lt 9.3_50

< 1.0.2i,1

< 1.1.0a

< 1.0.1e_13

< 1.0.1e_3

OpenBSD and David Ramos reports:

Applications that use SSL_MODE_RELEASE_BUFFERS, such as nginx/apache, are prone to a race condition which may allow a remote attacker to crash the current service.

ge 1.0.1 lt 1.0.1_12

ge 10.0 lt 10.0_3

The OpenSSL project reports:

BN_mod_exp may produce incorrect results on MIPS (Moderate)

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

< 1.1.1m,1

< 3.0.1

< 3.0.1

The OpenSSL project reports:

EDIPARTYNAME NULL pointer de-reference (High)

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

ge 1.0.2,1 lt 1.1.1i,1

ge 12.2 lt 12.2_2

ge 12.1 lt 12.1_12

ge 11.4 lt 11.4_6

OpenSSL Team reports:

Two security flaws have been fixed in OpenSSL 1.0.0e

Under certain circumstances OpenSSL's internal certificate verification routines can incorrectly accept a CRL whose nextUpdate field is in the past. (CVE-2011-3207)

OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (CVE-2011-3210)

ge 1.0.0 lt 1.0.0_6

ge 0.9.8 lt 1.0.0

ge 0.9.8 lt 0.9.8r

OpenSSL Team reports:

Rob Hulswit has found a flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

< 1.0.0_2

OpenSSL project reports:

1. Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)
2. A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)

< 1.0.2_7

ge 1.0.1 lt 1.0.2f

ge 10.2 lt 10.2_12

ge 10.1 lt 10.1_29

ge 9.3 lt 9.3_36

The OpenSSL project reports:

• Read/write after SSL object in error state (CVE-2017-3737)
  
  OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.
• rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
  
  There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.

gt 1.0.2 lt 1.0.2n

OpenSSL reports:

High: OCSP Status Request extension unbounded memory growth

SSL_peek() hang on empty record

SWEET32 Mitigation

OOB write in MDC2_Update()

Malformed SHA512 ticket DoS

OOB write in BN_bn2dec()

OOB read in TS_OBJ_print_bio()

Pointer arithmetic undefined behaviour

Constant time flag not preserved in DSA signing

DTLS buffered message DoS

DTLS replay protection DoS

Certificate message OOB reads

Excessive allocation of memory in tls_get_message_header()

Excessive allocation of memory in dtls1_preprocess_fragment()

NB: LibreSSL is only affected by CVE-2016-6304

ge 1.1.0 lt 1.1.0_1

< 1.0.2i,1

< 1.0.1e_11

ge 10.3 lt 10.3_8

ge 10.2 lt 10.2_21

ge 10.1 lt 10.1_38

ge 9.3 lt 9.3_46

OpenSSL project reports:

1. BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
2. Certificate verify crash with missing PSS parameter (CVE-2015-3194)
3. X509_ATTRIBUTE memory leak (CVE-2015-3195)
4. Race condition handling PSK identify hint (CVE-2015-3196)
5. Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

< 1.0.2_5

ge 1.0.1 lt 1.0.2e

< 1.0.1e_7

ge 10.2 lt 10.2_8

ge 10.1 lt 10.1_25

ge 9.3 lt 9.3_31

OpenSSL project reports:

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)

DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)

no-ssl3 configuration sets method to NULL (CVE-2014-3569)

ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)

RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)

DH client certificates accepted without verification [Server] (CVE-2015-0205)

Certificate fingerprints can be modified (CVE-2014-8275)

Bignum squaring may produce incorrect results (CVE-2014-3570)

ge 1.0.1 lt 1.0.1_17

ge 1.0.1 lt 1.0.1k

< 1.0.1e_3

ge 10.1 lt 10.1_4

ge 10.0 lt 10.0_16

ge 9.3 lt 9.3_8

ge 8.4 lt 8.4_22

The OpenSSL project reports:

Circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

< 1.1.1p,1

< 3.0.4

< 3.0.4

OpenSSL Reports:

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

The bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

The code used to handle the Heartbeat Extension does not do sufficient boundary checks on record length, which allows reading beyond the actual payload.

ge 1.0.1 lt 1.0.1_10

ge 1.0.1 lt 1.0.1g

ge 10.0 lt 10.0_1

The OpenSSL project reports:

High: CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default.

High: NULL pointer deref in signature_algorithms processing (CVE-2021-3449)

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.

< 1.1.1k,1

ge 12.2 lt 12.2_5

OpenSSL development team reports:

Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]:

• Fix for TLS record tampering bug [CVE-2013-4353]
• Fix for TLS version checking bug [CVE-2013-6449]
• Fix for DTLS retransmission bug [CVE-2013-6450]

< 1.0.1_9

The OpenSSL Project reports:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. [CVE-2014-0224]

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. [CVE-2014-0221]

A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. [CVE-2014-0195]

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. [CVE-2014-3470]

ge 1.0.1 lt 1.0.1_13

ge 1.0.1 lt 1.0.1h

ge 8.0 lt 8.4_12

ge 9.1 lt 9.1_15

ge 9.2 lt 9.2_8

ge 10.0 lt 10.0_5

The OpenSSL Team reports:

A flaw in the fix to CVE-2011-4108 can be exploited in a denial of service attack. Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected.

< 1.0.0_9

Vulnerability:

Such applications are affected if they use the option SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability. The SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only.

Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor SSL_OP_ALL are not affected. Also, applications that disable use of SSL 2.0 are not affected.

le 0.9.7g

ge 0.9.8 le 0.9.8_1

ge 0.9.*_20050325 le 0.9.*_20051011

le 0.9.8_1

ge 0.9.*_20050325 le 0.9.*_20051011

< 5.4.0.8

< 4.10_19

ge 4.11 lt 4.11_13

ge 5.3 lt 5.3_23

ge 5.4 lt 5.4_8

The OpenSSL Team reports:

A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA).

Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages.

SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.

< 1.0.0_10

A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake.

< 0.9.7d

ge 4.0 lt 4.8_17

ge 4.9 lt 4.9_4

ge 5.0 lt 5.1_16

ge 5.2 lt 5.2.1_3

The OpenSSL team reports:

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

< 1.0.2_13

< 2.2.9

ge 2.3.0 lt 2.3.6

< 2.4.1

The OpenSSL project reports:

Microarchitecture timing vulnerability in ECC scalar multiplication. Severity: Low

OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key.

< 1.0.2p_2

OpenSSL security team reports:

A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1_d2i_read_bio. Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.

< 1.0.1_1

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.

< 1.0.2r,1

< 1.0.1e_16

The OpenSSL Team reports:

6 security flaws have been fixed in OpenSSL 1.0.0f:

If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free.

OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory.

RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack.

Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.

A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack.

< 1.0.0_8

Cesar Pereida Garcia reports:

The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability.

A malicious user with local access can recover ECDSA P-256 private keys.

< 1.0.2

< 2.4.4_1

< 2.5.0_1

OpenSSL reports:

A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information.

A local attacker might be able to snoop a signing process and might recover the signing key from it.

ge 1.0.1 lt 1.0.1_10

ge 1.0.1 lt 1.0.1g

ge 8.3 lt 8.3_15

ge 8.4 lt 8.4_8

ge 9.1 lt 9.1_11

ge 9.2 lt 9.2_4

ge 10.0 lt 10.0_1

Secunia reports:

Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS.

The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.

An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.

ge 0.9.8 lt 0.9.8k_1

ge 0.9.8f lt 0.9.8m

The OpenSSL team reports:

• Missing DHE man-in-the-middle protection (Logjam) (CVE-2015-4000)
• Malformed ECParameters causes infinite loop (CVE-2015-1788)
• Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
• PKCS#7 crash with missing EnvelopedContent (CVE-2015-1790)
• CMS verify infinite loop with unknown hash function (CVE-2015-1792)
• Race condition handling NewSessionTicket (CVE-2015-1791)
• Invalid free in DTLS (CVE-2014-8176)

< 1.0.2_2

ge 1.0.1 lt 1.0.2b

< 1.0.1e_6

< 2.1.7

ge 10.1 lt 10.1_12

ge 9.3 lt 9.3_16

ge 8.4 lt 8.4_30

The OpenSSL Project reports:

A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508]

The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139]

If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3509]

An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. [CVE-2014-3505]

An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. [CVE-2014-3506]

By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. [CVE-2014-3507]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. [CVE-2014-3510]

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. [CVE-2014-3511]

A malicious client or server can send invalid SRP parameters and overrun an internal buffer. Only applications which are explicitly set up for SRP use are affected. [CVE-2014-3512]

ge 1.0.1 lt 1.0.1_14

ge 1.0.1 lt 1.0.1i

ge 8.4 lt 8.4_15

ge 9.1 lt 9.1_18

ge 9.2 lt 9.2_11

ge 9.3 lt 9.3_1

ge 10.0 lt 10.0_8

The OpenSSL project reports:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

< 1.0.2o_2,1

< 1.1.0h_1

OpenSSL reports:

Critical vulnerability in OpenSSL 1.1.0a

Fix Use After Free for large message sizes (CVE-2016-6309)

Moderate vulnerability in OpenSSL 1.0.2i

Missing CRL sanity check (CVE-2016-7052)

< 1.0.2j,1

< 1.1.0b

< 2.4.3

< 2.4.3

ge 11.0 lt 11.0_1

The OpenSSL project reports:

SM2 Decryption Buffer Overflow (CVE-2021-3711: High)

Read buffer overruns processing ASN.1 strings (CVE-2021-3712: Moderate)

< 1.1.1l,1

< 3.0.0.b3

ge 13.0 lt 13.0_4

ge 12.2 lt 12.2_10

The OpenSSL project reports:

Null pointer deref in X509_issuer_and_serial_hash() CVE-2021-23841

(Moderate) The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack.

Integer overflow in CipherUpdate CVE-2021-23840

(Low) Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

< 1.1.1j,1

< 3.0.0.a12

ge 12.2 lt 12.2_10

ge 11.4 lt 11.4_13

OpenSSL project reports:

• Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204). OpenSSL only.
• Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
• ASN.1 structure reuse memory corruption (CVE-2015-0287)
• PKCS#7 NULL pointer dereferences (CVE-2015-0289)
• Base64 decode (CVE-2015-0292). OpenSSL only.
• DoS via reachable assert in SSLv2 servers (CVE-2015-0293). OpenSSL only.
• Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
• X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

ge 1.0.1 lt 1.0.1_19

ge 1.0.1 lt 1.0.1m

< 1.0.1e_4

le 2.1.5_1

ge 10.1 lt 10.1_8

ge 9.3 lt 9.3_12

ge 8.4 lt 8.4_26

The OpenSSL project reports:

ECDSA remote timing attack (CVE-2019-1547) [Low]

Fork Protection (CVE-2019-1549) [Low]

(OpenSSL 1.1.1 only)

< 1.0.2t,1

< 1.1.1d

The OpenSSL project reports:

• Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
  
  Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
• rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
  
  There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).

< 1.0.2o,1

< 1.1.0h

The OpenSSL project reports:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack.

< 2.6.5

ge 2.7.0 lt 2.7.4

< 1.0.2o_4,1

< 1.1.0h_2

The OpenSSL project reports:

• Truncated packet could crash via OOB read (CVE-2017-3731)
• Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
• BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
• Montgomery multiplication may produce incorrect results (CVE-2016-7055)

< 1.0.2k,1

< 1.1.0d

< 1.0.1e_13

< 1.0.1e_3

ge 11.0 lt 11.0_8

ge 10.3 lt 10.3_17

The OpenSSL project reports:

rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

< 1.0.2u,1

OpenSSL security team reports:

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers.

< 1.0.1_2

The OpenSSL project reports:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

• TLS clients consuming server certificates
• TLS servers consuming client certificates
• Hosting providers taking certificates or private keys from customers
• Certificate authorities parsing certification requests from subscribers
• Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

< 1.1.1n,1

< 3.0.2

< 3.0.2

< 3.4.3

< 3.5.1

ge 13.0 lt 13.0_8

ge 12.3 lt 12.3_3

ge 12.2 lt 12.2_14

The OpenSSL project reports:

bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline.

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Severity: Low

This issue was previously announced in security advisory https://www.openssl.org/news/secadv/20170828.txt, but the fix has not previously been included in a release due to its low severity.

< 1.0.2m,1

< 1.1.0g

The OpenSSL project reports:

• The c_rehash script allows command injection (CVE-2022-1292) (Moderate)
  
  The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
• OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343) (Moderate)
  
  The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.
• Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434) (Low)
  
  The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable.
• Resource leakage when decoding certificates and keys (CVE-2022-1473) (Low)
  
  The OPENSSL_LH_flush() function, which empties a hash table, containsa bug that breaks reuse of the memory occuppied by the removed hash table entries.

< 1.1.1o,1

< 3.0.3

< 3.0.3