CVE-2006-2937 — Infinite Loop in Openssl

CWE-39913 documents11 sources

Severity

7.8HIGHNVD

EPSS

5.1%

top 10.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Vmware Fusion +1 more

Timeline

PublishedSep 28

Latest updateDec 29

Description

OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages5 packages

▶debiandebian/openssl< openssl 0.9.8c-2 (bookworm)

▶Debianopenssl/openssl< 0.9.8c-2+3

▶NVDopenssl/openssl16 versions+15

▶vmwarevmware/vmware_fusion

▶vmwarevmware/vmware_workstation

Patches

Patch: kolab.org ↗Patch: lists.grok.org.uk ↗Patch: openbsd.org ↗

🔴Vulnerability Details

GHSA

GHSA-mwwc-2rmx-mj8j: OpenSSL 0↗2022-05-03

▶

OSV

CVE-2006-2937: OpenSSL 0↗2006-09-28

▶

📋Vendor Advisories

VMware

Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line↗2008-03-17

▶

Cisco

Multiple Vulnerabilities in OpenSSL Library↗2006-11-08

▶

Ubuntu

openssl vulnerabilities↗2006-09-29

▶

BSD

FreeBSD-SA-06:23.openssl: Multiple problems in crypto(3)↗2006-09-28

▶

Red Hat

openssl ASN.1 DoS↗2006-09-28

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2006-2937 openssl ASN.1 DoS↗2008-01-29

▶

Bugzilla

CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339)↗2006-10-03

▶

Bugzilla

CVE-2006-2937 OpenSSL ASN1 DoS↗2006-09-20

▶