Уязвимость CVE-2015-1793: Информация

Описание

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Важность: MEDIUM (6,5) Вектор: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2015-1793
Опубликовано: 9 июля 2015 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-254

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
openssl10p91.0.1k-alt41.0.2u-alt1.p9.2ALT-PU-2015-1600-1146214Исправлено
openssl10c9f21.0.1k-alt41.0.2u-alt1.p9.1ALT-PU-2015-1600-1146214Исправлено
openssl10c71.0.1r-alt0.M70C.11.0.1u-alt0.M70C.1ALT-PU-2016-1072-1156803Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
http://openssl.org/news/secadv_20150709.txt
  • Vendor Advisory
SSRT102180
    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694
      http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
      • Patch
      http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
      • Patch
      http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
      • Patch
      http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
        91787
          https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351
            https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763
              HPSBGN03424
                http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
                  http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
                    75652
                      http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
                        http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454058.htm
                          http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
                            https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04822825
                              https://kc.mcafee.com/corporate/index?page=content&id=SB10125
                                GLSA-201507-15
                                  NetBSD-SA2015-008
                                    FreeBSD-SA-15:12
                                      SSA:2015-190-01
                                        1032817
                                          20150710 OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products
                                            FEDORA-2015-11475
                                              FEDORA-2015-11414
                                                38640
                                                  http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
                                                    https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
                                                      https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8

                                                          1. Конфигурация 1

                                                            cpe:2.3:a:oracle:supply_chain_products_suite:6.1.2.2:*:*:*:*:*:*:*
                                                            cpe:2.3:a:oracle:supply_chain_products_suite:6.2.0:*:*:*:*:*:*:*
                                                            cpe:2.3:a:oracle:supply_chain_products_suite:6.1.3.0:*:*:*:*:*:*:*

                                                            Конфигурация 2

                                                            cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
                                                            cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*

                                                            Конфигурация 3

                                                            cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
                                                            cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
                                                            cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*
                                                            cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*

                                                            Конфигурация 4

                                                            cpe:2.3:o:oracle:opus_10g_ethernet_switch_family:*:*:*:*:*:*:*:*
                                                            End including
                                                            2.0.0.6
                                                        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                                        Версия: v24.4.2
                                                        Наверх