National Cyber-Alert System

Vulnerability Summary for CVE-2009-0789

Overview

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

Vendor Statments (disclaimer)

Official Statement from Red Hat (03/30/2009)

Not vulnerable. This issue only affects a small number of operating systems and does not affect the openssl packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 34256

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/34256

External Source: XF

Name: openssl-asn1-structure-dos(49433)

Hyperlink:http://xforce.iss.net/xforce/xfdb/49433

External Source: VUPEN

Name: ADV-2009-1548

Hyperlink:http://www.vupen.com/english/advisories/2009/1548

External Source: VUPEN

Name: ADV-2009-1175

Hyperlink:http://www.vupen.com/english/advisories/2009/1175

External Source: VUPEN

Name: ADV-2009-1020

Hyperlink:http://www.vupen.com/english/advisories/2009/1020

External Source: VUPEN

Name: ADV-2009-0850

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2009/0850

External Source: CONFIRM

Name: http://www.php.net/archive/2009.php#id2009-04-08-1

Hyperlink:http://www.php.net/archive/2009.php#id2009-04-08-1

External Source: OSVDB

Name: 52866

Hyperlink:http://www.osvdb.org/52866

External Source: CONFIRM

Name: http://www.openssl.org/news/secadv_20090325.txt

Type: Advisory

Hyperlink:http://www.openssl.org/news/secadv_20090325.txt

External Source: CONFIRM

Name: http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html

Hyperlink:http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html

External Source: CONFIRM

Name: http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847

Hyperlink:http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847

External Source: SECTRACK

Name: 1021906

Hyperlink:http://securitytracker.com/id?1021906

External Source: SECUNIA

Name: 35729

Hyperlink:http://secunia.com/advisories/35729

External Source: SECUNIA

Name: 35380

Hyperlink:http://secunia.com/advisories/35380

External Source: SECUNIA

Name: 35065

Hyperlink:http://secunia.com/advisories/35065

External Source: SECUNIA

Name: 34666

Hyperlink:http://secunia.com/advisories/34666

External Source: SECUNIA

Name: 34460

Type: Advisory

Hyperlink:http://secunia.com/advisories/34460

External Source: SECUNIA

Name: 34411

Type: Advisory

Hyperlink:http://secunia.com/advisories/34411

External Source: HP

Name: HPSBUX02435

Hyperlink:http://marc.info/?l=bugtraq&m=124464882609472&w=2

External Source: HP

Name: HPSBUX02435

Hyperlink:http://marc.info/?l=bugtraq&m=124464882609472&w=2

External Source: SUSE

Name: SUSE-SR:2009:010

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

External Source: NETBSD

Name: NetBSD-SA2009-008

Hyperlink:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc