0.9.8s : Security Vulnerabilities

Cpe Name:cpe:/a:openssl:openssl:0.9.8s

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : Cve Number Descending Cve Number Ascending CVSS Score Descending Number Of Exploits Descending

Copy Results Download Results Select Table

#	CVE ID	CWE ID	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2013-0169	310		2013-02-08	2013-06-04	2.6	None	Remote	High	Not required	Partial	None	None
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
2	CVE-2013-0166	310	DoS	2013-02-08	2013-06-04	5.0	None	Remote	Low	Not required	None	None	Partial
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.
3	CVE-2012-2333	189	DoS	2012-05-14	2013-06-05	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
4	CVE-2012-2110	119	DoS Overflow Mem. Corr.	2012-04-19	2013-06-05	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
5	CVE-2012-1165	399	DoS	2012-03-15	2013-05-03	5.0	None	Remote	Low	Not required	None	None	Partial
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
6	CVE-2012-0884	310		2012-03-12	2013-05-03	5.0	None	Remote	Low	Not required	Partial	None	None
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
7	CVE-2012-0050	399	DoS	2012-01-19	2013-06-05	5.0	None	Remote	Low	Not required	None	None	Partial
OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.
8	CVE-2012-0027	399	DoS	2012-01-05	2012-07-03	5.0	None	Remote	Low	Not required	None	None	Partial
The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.
9	CVE-2011-3210	399	DoS	2011-09-22	2013-06-05	5.0	None	Remote	Low	Not required	None	None	Partial
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
10	CVE-2011-1473	264	DoS	2012-06-16	2012-06-18	5.0	None	Remote	Low	Not required	None	None	Partial
DISPUTED OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.
11	CVE-2006-7250		DoS	2012-02-29	2013-01-22	5.0	None	Remote	Low	Not required	None	None	Partial
The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.

Total number of vulnerabilities : 11 Page : 1 (This Page)