CVE-2015-0209
published 2015-03-19CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and…
PriorityP335medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
16.33%
96.6th percentile
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_yosemite_v10.10.4_and_security_update_2015-005 | — | — |
| cisco | products | — | — |
| debian | openssl | < openssl 1.0.1k-2 (bookworm) | openssl 1.0.1k-2 (bookworm) |
| openssl | openssl | <= 0.9.8ze | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
vendor_cisco5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent
vendor_paloalto·2024-11-07·CVSS 6.8
CVE-2014-0195 [MEDIUM] PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent
PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Cortex XDR Agent. While Cortex XDR Agent may include the
CVEs: CVE-2014-0195, CVE-2014-0224, CVE-2014-3509, CVE-2014-3512, CVE-2014-3513, CVE-2014-3567, CVE-2015-0209, CVE-2015-0292, CVE-2015-1789, CVE-2015-1791, CVE-2015-1793, CVE-2015-3194, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-2177, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2019-1551, CVE-2019-1552, CVE-2019-1559, CVE-2019-1563, CVE-2020-196
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
CISA ICS
Rockwell Automation Stratix 5900
cisa_ics·2017-05-10
Rockwell Automation Stratix 5900
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation Stratix 5900
Last RevisedMay 10, 2017
Alert CodeICSA-17-094-04
## CVSS v3 10.0
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Rockwell Automation
Equipment: Stratix 5900
Vulnerabilities: Improper Input Validation, Resource Management Errors, Improper Authentication, Path Traversal.
## REPOSTED INFORMATION
This advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site.
## AFFECTED PRODUCTS
Rockwell Automation reports that these vulnerabilities affect the following Strat
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco·2015-03-20·CVSS 5.0
CVE-2015-0207 [MEDIUM] CWE-119 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows:
CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability
CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability
CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerability
CVE-2015-
BSD
FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities
bsd_advisories·2015-03-19·CVSS 6.8
CVE-2015-0204 [MEDIUM] FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities
FreeBSD-SA-15:06.openssl Security Advisory
The FreeBSD Project
Topic: Multiple OpenSSL vulnerabilities
Category: contrib
Module: openssl
Announced: 2015-03-19; Last revised on 2015-03-20.
Affects: All supported versions of FreeBSD.
Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE)
2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8)
2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE)
2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12)
2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE)
2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26)
CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288,
CVE-2015-0289, CVE-2015-0293
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following secti
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2015-03-19·CVSS 6.8
CVE-2015-0209 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
It was discovered that OpenSSL incorrectly handled malformed EC private key
files. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0209)
Stephen Henson discovered that OpenSSL incorrectly handled comparing ASN.1
boolean types. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286)
Emilia Käsper discovered that OpenSSL incorrectly handled ASN.1 structure
reuse. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0287)
Brian Carpenter discovere
Red Hat
openssl: use-after-free on invalid EC private key import
vendor_redhat·2015-02-09·CVSS 6.8
CVE-2015-0209 [MEDIUM] CWE-416 openssl: use-after-free on invalid EC private key import
openssl: use-after-free on invalid EC private key import
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
A use-after-free flaw was found in the way OpenSSL imported malformed Elliptic Curve private keys. A specially crafted key file could cause an application using OpenSSL to crash when imported.
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Pack
Debian
CVE-2015-0209: openssl - Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_as...
vendor_debian·2015·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209: openssl - Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_as...
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
Scope: local
bookworm: resolved (fixed in 1.0.1k-2)
bullseye: resolved (fixed in 1.0.1k-2)
forky: resolved (fixed in 1.0.1k-2)
sid: resolved (fixed in 1.0.1k-2)
trixie: resolved (fixed in 1.0.1k-2)
Apple
CVE-2015-0209: OS X Yosemite v10.10.4 and Security Update 2015-005
vendor_apple·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209: OS X Yosemite v10.10.4 and Security Update 2015-005
Apple Security Update: About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005
Product: OS X Yosemite v10.10.4 and Security Update 2015-005
CVE: CVE-2015-0209
Component: CVE-2015-0209
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0286 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0286: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0292 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0292: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-1787 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-1787: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0289 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0289: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0288 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0288: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0209 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0209: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0208 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0208: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0207 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0207: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0290 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0290: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0291 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0291: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0287 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0287: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0285 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0285: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
Cisco
Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
vendor_cisco
CVE-2015-0293 Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
CVE-2015-0293: Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. On March 19, 2015, the OpenSSL Project released a security advisory detailing 13 distinct vulnerabilities. The following seven are actively under investigation and the vulnerabilities are referenced in this document as follows: CVE-2015-0286: OpenSSL ASN1_TYPE_cmp Denial of Service Vulnerability CVE-2015-0287: OpenSSL ASN.1 Structure Reuse Memory Corruption Vulnerability CVE-2015-0289: OpenSSL PKCS7 NULL Pointer Dereference Denial of Service Vulnerabili
GHSA
GHSA-gc3c-j46x-fm67: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1
ghsa_unreviewed·2022-05-14
CVE-2015-0209 [MEDIUM] GHSA-gc3c-j46x-fm67: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
OSV
CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1
osv·2015-03-19·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
OSV
openssl vulnerabilities
osv·2015-03-19·CVSS 6.8
CVE-2015-0209 [MEDIUM] openssl vulnerabilities
openssl vulnerabilities
It was discovered that OpenSSL incorrectly handled malformed EC private key
files. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0209)
Stephen Henson discovered that OpenSSL incorrectly handled comparing ASN.1
boolean types. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286)
Emilia Käsper discovered that OpenSSL incorrectly handled ASN.1 structure
reuse. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0287)
Brian Carpenter discovered that OpenSSL incorrectly handled invalid
certificate keys. A r
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [epel-7]
bugzilla·2015-03-19·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [epel-7]
CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7
Bugzilla
CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [fedora-all]
bugzilla·2015-03-19·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [fedora-all]
CVE-2015-0209 CVE-2015-0293 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 mingw-openssl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
Bugzilla
CVE-2015-0292 CVE-2015-0209 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 openssl: various flaws [fedora-all]
bugzilla·2015-02-26·CVSS 6.8
CVE-2015-0292 [MEDIUM] CVE-2015-0292 CVE-2015-0209 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 openssl: various flaws [fedora-all]
CVE-2015-0292 CVE-2015-0209 CVE-2015-0287 CVE-2015-0286 CVE-2015-0289 CVE-2015-0288 openssl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2015-0209 openssl: use-after-free on invalid EC private key import
bugzilla·2015-02-26·CVSS 6.8
CVE-2015-0209 [MEDIUM] CVE-2015-0209 openssl: use-after-free on invalid EC private key import
CVE-2015-0209 openssl: use-after-free on invalid EC private key import
From openssl git:
commit 1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a
Author: Matt Caswell
Date: Mon Feb 9 11:38:41 2015 +0000
Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman
CVE-2015-0209
Reviewed-by: Emilia Käsper
in elliptic curves code. might cause a double free, but its hard to say.
Discussion:
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1196738]
---
Upstream commit (against openssl-0.9.8):
https://github.com/openssl/openssl/commit/1b4a8df38fc9ab3c089ca5765075ee53ec5bd66a
---
Referenced boringssl commit, boringssl/Chrome upstream bug (currently not public), and review request:
https://boringssl.googlesource.com/boringssl/+/
Tenable
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
blogs_tenable·2017-01-31
[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
[R6] OpenSSL '20150319' Advisory Affects Tenable Products
blogs_tenable·2015-03-29
[R6] OpenSSL '20150319' Advisory Affects Tenable Products
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://lists.opensuse.org/opensuse-updates/2015-03/msg00062.htmlhttp://marc.info/?l=bugtraq&m=142841429220765&w=2http://marc.info/?l=bugtraq&m=143213830203296&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://marc.info/?l=bugtraq&m=144050254401665&w=2http://marc.info/?l=bugtraq&m=144050297101809&w=2http://rhn.redhat.com/errata/RHSA-2015-0715.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0716.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1089.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://support.apple.com/kb/HT204942http://www.debian.org/security/2015/dsa-3197http://www.mandriva.com/security/advisories?name=MDVSA-2015:062http://www.mandriva.com/security/advisories?name=MDVSA-2015:063http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/73239http://www.securitytracker.com/id/1031929http://www.ubuntu.com/usn/USN-2537-1https://access.redhat.com/articles/1384453https://bto.bluecoat.com/security-advisory/sa92https://bugzilla.redhat.com/show_bug.cgi?id=1196737https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66ahttps://kc.mcafee.com/corporate/index?page=content&id=SB10110https://security.gentoo.org/glsa/201503-11https://support.citrix.com/article/CTX216642https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.aschttps://www.openssl.org/news/secadv_20150319.txthttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/156823.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-May/157177.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00022.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://lists.opensuse.org/opensuse-updates/2015-03/msg00062.htmlhttp://marc.info/?l=bugtraq&m=142841429220765&w=2http://marc.info/?l=bugtraq&m=143213830203296&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://marc.info/?l=bugtraq&m=144050254401665&w=2http://marc.info/?l=bugtraq&m=144050297101809&w=2http://rhn.redhat.com/errata/RHSA-2015-0715.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0716.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1089.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://support.apple.com/kb/HT204942http://www.debian.org/security/2015/dsa-3197http://www.mandriva.com/security/advisories?name=MDVSA-2015:062http://www.mandriva.com/security/advisories?name=MDVSA-2015:063http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.securityfocus.com/bid/73239http://www.securitytracker.com/id/1031929http://www.ubuntu.com/usn/USN-2537-1https://access.redhat.com/articles/1384453https://bto.bluecoat.com/security-advisory/sa92https://bugzilla.redhat.com/show_bug.cgi?id=1196737https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=1b4a8df38fc9ab3c089ca5765075ee53ec5bd66ahttps://kc.mcafee.com/corporate/index?page=content&id=SB10110https://security.gentoo.org/glsa/201503-11https://support.citrix.com/article/CTX216642https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A06.openssl.aschttps://www.openssl.org/news/secadv_20150319.txt
2015-03-19
Published