Vulnerability Details : CVE-2015-0292
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
Vulnerability category: OverflowMemory CorruptionDenial of service
Products affected by CVE-2015-0292
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0292
20.90%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-0292
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2015-0292
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-0292
-
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Oracle Critical Patch Update - January 2016
-
http://www.ubuntu.com/usn/USN-2537-1
USN-2537-1: OpenSSL vulnerabilities | Ubuntu security notices
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
Oracle Solaris Third Party Bulletin - April 2015
-
http://rhn.redhat.com/errata/RHSA-2015-0800.html
RHSA-2015:0800 - Security Advisory - Red Hat Customer Portal
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152844.html
[SECURITY] Fedora 20 Update: openssl-1.0.1e-42.fc20
-
http://rhn.redhat.com/errata/RHSA-2015-0715.html
RHSA-2015:0715 - Security Advisory - Red Hat Customer Portal
-
http://marc.info/?l=bugtraq&m=143748090628601&w=2
'[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Mu' - MARC
-
https://security.gentoo.org/glsa/201503-11
OpenSSL: Multiple vulnerabilities (GLSA 201503-11) — Gentoo security
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10680
Juniper Networks - 2015-04 Security Bulletin: OpenSSL 19th March 2015 advisory
-
http://www.securitytracker.com/id/1031929
OpenSSL Multiple Flaws Let Remote Users Deny Service - SecurityTracker
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d0666f289ac013094bbbf547bfbcd616199b7d2d
git.openssl.org Git - openssl.git/commit
-
http://marc.info/?l=bugtraq&m=144050297101809&w=2
'[security bulletin] HPSBMU03397 rev.1 - HP Version Control Agent (VCA) on Windows and Linux, Multipl' - MARC
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152733.html
[SECURITY] Fedora 21 Update: openssl-1.0.1k-6.fc21
-
https://bto.bluecoat.com/security-advisory/sa92
SA92 : OpenSSL Security Advisory 19-Mar-2015
-
http://www.securityfocus.com/bid/73228
OpenSSL '/evp/encode.c' Remote Memory Corruption Vulnerability
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017
-
https://rt.openssl.org/Ticket/Display.html?id=2608&user=guest&pass=guest
#2608: bug report: segfault from base64 decodingExploit
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10110
McAfee Security Bulletin: Fourteen OpenSSL CVEs Announced on March 19, 2015
-
http://marc.info/?l=bugtraq&m=143213830203296&w=2
'[security bulletin] HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (' - MARC
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
[security-announce] SUSE-SU-2015:0578-1: important: Security update for
-
https://www.openssl.org/news/secadv_20150319.txt
Vendor Advisory
-
http://www.fortiguard.com/advisory/2015-03-24-openssl-vulnerabilities-march-2015
FortiGuard
-
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Oracle Critical Patch Update - July 2015
-
http://rhn.redhat.com/errata/RHSA-2015-0752.html
RHSA-2015:0752 - Security Advisory - Red Hat Customer Portal
-
http://marc.info/?l=bugtraq&m=144050155601375&w=2
'[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities' - MARC
-
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
-
http://rhn.redhat.com/errata/RHSA-2015-0716.html
RHSA-2015:0716 - Security Advisory - Red Hat Customer Portal
-
https://bugzilla.redhat.com/show_bug.cgi?id=1202395
1202395 – (CVE-2015-0292) CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152734.html
[SECURITY] Fedora 22 Update: openssl-1.0.1k-6.fc22
-
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Oracle Critical Patch Update - October 2015
-
https://access.redhat.com/articles/1384453
Access denied - Red Hat Customer Portal
-
https://support.citrix.com/article/CTX216642
Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware
-
http://www.debian.org/security/2015/dsa-3197
Debian -- Security Information -- DSA-3197-1 openssl
Jump to