CVE-2012-0884
published 2012-03-13CVE-2012-0884: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle…
PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
13.08%
95.9th percentile
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Affected
71 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.0.0h-1 (bookworm) | openssl 1.0.0h-1 (bookworm) |
| openssl | openssl | <= 0.9.8t | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wwwj-58hm-mxm3: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0
ghsa_unreviewed·2022-05-14
CVE-2012-0884 [MEDIUM] GHSA-wwwj-58hm-mxm3: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
OSV
CVE-2012-0884: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0
osv·2012-03-13·CVSS 5.0
CVE-2012-0884 [MEDIUM] CVE-2012-0884: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
BSD
FreeBSD-SA-12:01.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2012-05-30·CVSS 9.3
CVE-2011-4109 [CRITICAL] FreeBSD-SA-12:01.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110
For gen
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2012-05-24·CVSS 5.0
CVE-2012-0884 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Applications using OpenSSL in certain situations could be made to
crash or expose sensitive information.
Ivan Nestlerode discovered that the Cryptographic Message Syntax
(CMS) and PKCS #7 implementations in OpenSSL returned early if RSA
decryption failed. This could allow an attacker to expose sensitive
information via a Million Message Attack (MMA). (CVE-2012-0884)
It was discovered that an integer underflow was possible when using
TLS 1.1, TLS 1.2, or DTLS with CBC encryption. This could allow a
remote attacker to cause a denial of service. (CVE-2012-2333)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
openssl: CMS and PKCS#7 Bleichenbacher attack
vendor_redhat·2012-03-12·CVSS 5.0
CVE-2012-0884 [MEDIUM] openssl: CMS and PKCS#7 Bleichenbacher attack
openssl: CMS and PKCS#7 Bleichenbacher attack
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Package: openssl (Red Hat Enterprise Linux 4) - Will not fix
Package: openssl096b (Red Hat Enterprise Linux 4) - Will not fix
Package: openssl097a (Red Hat Enterprise Linux 5) - Will not fix
Package: openssl098e (Red Hat Enterprise Linux 6) - Will not fix
Package: openssl (Red Hat JBoss Enterprise Web Server 1) - Affected
Debian
CVE-2012-0884: openssl - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL ...
vendor_debian·2012·CVSS 5.0
CVE-2012-0884 [MEDIUM] CVE-2012-0884: openssl - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL ...
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Scope: local
bookworm: resolved (fixed in 1.0.0h-1)
bullseye: resolved (fixed in 1.0.0h-1)
forky: resolved (fixed in 1.0.0h-1)
sid: resolved (fixed in 1.0.0h-1)
trixie: resolved (fixed in 1.0.0h-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack
bugzilla·2012-03-13·CVSS 5.0
CVE-2012-0884 [MEDIUM] CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack
CVE-2012-0884 openssl: CMS and PKCS#7 Bleichenbacher attack
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0884 to the following vulnerability:
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
References:
[1] http://www.openssl.org/news/secadv_20120312.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
Discussion:
Upstream commits:
http://cvs.openssl.org/chngview?cn=22238 0.9.8
http://cvs.openssl.org/chngview?cn=22228 1.0.0
http://cvs.openssl.org/chngview?cn=22251 trunk
Cryptographic Message
Bugzilla
CVE-2012-1165 CVE-2012-0884 openssl various flaws [fedora-all]
bugzilla·2012-03-13·CVSS 5.0
CVE-2012-1165 [MEDIUM] CVE-2012-1165 CVE-2012-0884 openssl various flaws [fedora-all]
CVE-2012-1165 CVE-2012-0884 openssl various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=802489
Bugzilla
CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [epel-5]
bugzilla·2012-03-13·CVSS 5.0
CVE-2012-1165 [MEDIUM] CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [epel-5]
CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=802
Bugzilla
CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [fedora-all]
bugzilla·2012-03-13·CVSS 5.0
CVE-2012-1165 [MEDIUM] CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [fedora-all]
CVE-2012-1165 CVE-2012-0884 mingw32-openssl various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs
arXiv
Graphene: Infrastructure Security Posture Analysis with AI-generated Attack Graphs
arxiv_fulltext·2024-05-01
Graphene: Infrastructure Security Posture Analysis with AI-generated Attack Graphs
: A Holistic Security Posture Analyzer for Edge Computing
Xin Jin, Charalampos Katsis, Fan Sang, Jiahao Sun, Ashish Kundu, Ramana Kompella
xijin3, ckatsis, fsang, jiahasun, ashkundu, [email protected]
Cisco Research
San Jose
California
USA
43017-6221
Trovato et al.
## Abstract
is a system that aims to analyze the security posture of an edge infrastructure thoroughly. The user provides necessary information for the given infrastructure, such as device information and connections, and performs a security analysis that involves finding associated vulnerabilities and using vulnerability knowledge to construct attack paths that an adversary may leverage. In addition, investigates how likely are those paths exploitable and quantifies the overall security posture of the system using a scor
arXiv
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
arxiv_fulltext·2024-02-29
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
Hao Wang^1, Zeyu Gao^1, Chao Zhang^1, Mingyang Sun^2, Yuchen Zhou^3, Han Qiu^1, Xi Xiao^4
Hao Wang, Zeyu Gao, Chao Zhang, Mingyang Sun, Yuchen Zhou, Han Qiu, Xi Xiao
^1Tsinghua University, Beijing, China
^2University of Electronic Science and Technology of China, Chengdu, China
^3Beijing University of Technology, Beijing, China
^4Tsinghua University, Shenzhen, China
hao-wang20,[email protected],chaoz,[email protected]
[email protected],[email protected],[email protected]
Wang, et al.
## Abstract
Binary code similarity detection (BCSD) is a fundamental technique for various application.
Many BCSD solutions have been proposed recently, which mostly are embed
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077221.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.htmlhttp://marc.info/?l=bugtraq&m=133728068926468&w=2http://marc.info/?l=bugtraq&m=133951357207000&w=2http://marc.info/?l=bugtraq&m=134039053214295&w=2http://rhn.redhat.com/errata/RHSA-2012-0426.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0488.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0531.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1306.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1308.htmlhttp://secunia.com/advisories/48580http://secunia.com/advisories/48895http://secunia.com/advisories/48916http://secunia.com/advisories/57353http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564http://www.debian.org/security/2012/dsa-2454http://www.kb.cert.org/vuls/id/737740http://www.openssl.org/news/secadv_20120312.txthttps://downloads.avaya.com/css/P8/documents/100162507https://hermes.opensuse.org/messages/14330767http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077221.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.htmlhttp://marc.info/?l=bugtraq&m=133728068926468&w=2http://marc.info/?l=bugtraq&m=133951357207000&w=2http://marc.info/?l=bugtraq&m=134039053214295&w=2http://rhn.redhat.com/errata/RHSA-2012-0426.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0488.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0531.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1306.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1308.htmlhttp://secunia.com/advisories/48580http://secunia.com/advisories/48895http://secunia.com/advisories/48916http://secunia.com/advisories/57353http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564http://www.debian.org/security/2012/dsa-2454http://www.kb.cert.org/vuls/id/737740http://www.openssl.org/news/secadv_20120312.txthttps://downloads.avaya.com/css/P8/documents/100162507https://hermes.opensuse.org/messages/14330767
2012-03-13
Published