Impact

Background

The Problems

04/08/24
CVE 2024-2511
The Security Advisory for April 8, 2024 announced a potential denial-of-service vulnerability. In a server which supports TLSv1.3 with the SSL_OP_NO_TICKET option, the session cache can get into an incorrect state and fail to flush properly, leading to unbounded memory growth. OpenSSL 1.1.1 prior to 1.1.1y, 3.0 prior to 3.0.14, 3.1 prior to 3.1.6, and 3.2 prior to 3.2.2 are affected by this vulnerability.

01/25/24
CVE 2024-0727
The Security Advisory for January 25, 2024 announced a low severity vulnerability. Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack.

02/05/24
CVE 2023-6129
The Security Advisory for January 9, 2024 announced a low severity vulnerability. The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.

11/06/23
CVE 2023-5678
The Security Advisory for 6 November 2023 announced that a fixed has been made in a possible denial of service vulnerability. Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

10/24/23
CVE 2023-5363
OpenSSL Security Advisory for 24 October 2023 announced that a bug has been identified in the processing of key and initialization vector (IV) lengths. This can lead to potential truncation or overruns during the initialization of some symmetric ciphers which could result in loss of confidentiality for some cipher modes.

09/11/23
CVE 2023-4807
The 8 September 2023 Security Update fixed a denial of service vulnerability. The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.

07/31/23
CVE 2023-3446
CVE 2023-3817
Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters which resulted in two vulnerabilities. First, an application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. Second, a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

07/17/23
CVE 2023-2975
The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation.

05/30/23
CVE 2023-2650
The 30 May 2023 Security Advisory for OpenSSL fixed a denial of service vulnerability. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

04/20/23
CVE 2023-1255
The 20 April 2023 Security Advisory for OpenSSL fixed an input buffer over-read in AES-XTS implementation on 64 bit ARM which could lead to a crash.

03/28/23
CVE 2023-0465
CVE 2023-0466
OpenSSL Security Advisory for 28 March 2023 announced fixes for two vulnerabilities. Firstly, applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Secondly, implementation of the function X509_VERIFY_PARAM_add0_policy is not enabled when doing certificate verification.

03/22/23
CVE 2023-0464
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the "-policy" argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function.

02/07/23
CVE 2022-4203
CVE 2022-4304
CVE 2022-4450
CVE 2023-0215
CVE 2023-0216
CVE 2023-0217
CVE 2023-0286
CVE 2023-0401
OpenSSL Security Advisory for 07 February 2023 announced fixes for eight vulnerabilities:

• X.509 Name Constraints Read Buffer Overflow.
• Timing Oracle in RSA Decryption.
• Double free after calling PEM_read_bio_ex.
• Use-after-free following BIO_new_NDEF.
• Invalid pointer dereference in d2i_PKCS7 functions.
• NULL dereference validating DSA public key.
• X.400 address type confusion in X.509 GeneralName.
• NULL dereference during PKCS7 data verification.

02/06/23
CVE 2022-3996
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.

11/01/22
CVE 2022-3602
CVE 2022-3786
OpenSSL Security Advisory for 01 November 2022 announced fixes for two buffer overflows that can be triggered in X.509 certificate verification, specifically in name constraint checking. These vulnerabilities could result in crash causing a denial of service condition.

10/11/22
CVE 2022-3358
OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom cipher with NID_undef may lead to NULL encryption. Note: Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialization function.

07/05/22
CVE 2022-2097
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

07/05/22
CVE 2022-2274
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

06/23/22
CVE 2022-2068
OpenSSL 1.0.2zf, 1.1.1p, and 3.0.4 fixed a command injection in c_rehash due to incomplete fixed in CVE-2022-1292 where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.

05/05/22
CVE 2022-1292
CVE 2022-1343
CVE 2022-1434
CVE 2022-1473
OpenSSL Security Advisory for 03 March 2022 addressed multiple vulnerabilities:

• The c_rehash script allows command injection.
• OCSP_basic_verify may incorrectly verify the response signing certificate.
• Incorrect MAC key used in the RC4-MD5 ciphersuite.
• Resource leakage when decoding certificates and keys.

03/15/22
CVE 2022-0778
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

03/15/22
CVE 2021-4160
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

03/15/22
CVE 2021-4044
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour.

08/25/21
CVE 2021-3711
CVE 2021-3712
OpenSSL Security Advisory for 24 August 2021 addressed two vulnerabilities. First, there is an SM2 decryption buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small which could cause the application to crash. Second, a read buffer overruns processing ASN.1 strings could result in a crash or disclosure of private memory contents (such as private keys, or sensitive plaintext).

03/25/21
CVE 2021-3449
CVE 2021-3450
OpenSSL version 1.1.1k addressed two vulnerabilities. First, an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client due to NULL pointer dereference in signature_algorithms processing. Second, a security problem in the implementation of CA certificate check with X509_V_FLAG_X509_STRICT flag.

02/16/21
CVE 2021-23839
CVE 2021-23840
CVE 2021-23841
OpenSSL Security Advisory for 16 February 2021 addressed multiple denial of service vulnerabilities:

• Incorrect SSLv2 rollback protection (only OpenSSL 1.0.2s to 1.0.2x are affected and have to enable different configurations that were off by default).
• Integer overflow in CipherUpdate.
• Null pointer deref in X509_issuer_and_serial_hash().

12/08/20
CVE 2020-1971
OpenSSL Security Advisory for 08 December 2020 addressed a denial of service vulnerability. The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

09/21/20
CVE 2020-1968
OpenSSL versions before 1.1.1 can reuse a pre-master secret from a static DH ciphersuite. This could permit an attacker to decipher said pre-master secret, and would allow that attacker to eavesdrop on encrypted communications over TLS connections.

04/21/20
CVE 2020-1967
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

01/06/20
CVE 2019-1551
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.

09/12/19
CVE 2019-1547
CVE 2019-1549
CVE 2019-1563
OpenSSL Security Advisory for September 2019 fixed multiple vulnerabilities:

• ECDSA remote timing attack of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto.
• Fork Protection was not being used in the default case.
• Padding Oracle attack in PKCS7_dataDecode and CMS_decrypt_set1_pkey. OpenSSL 1.0.2, 1.1.0, and 1.1.1 are affected by one or more issues.

07/31/19
CVE 2019-1552
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.

03/11/19
CVE 2019-1543
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce.

02/27/19
CVE 2019-1559
OpenSSL 1.0.2 prior to 1.0.2r is vulnerable to a 0-byte record padding oracle attack which could allow a remote attacker to decrypt data passing over the network. Note: In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway).

11/14/18
CVE 2018-5407
OpenSSL prior to 1.1.0i is vulnerable to a timing side channel attack. The vulnerability exists due to flaws on SMT/Hyper-Threading architectures.

10/29/18
CVE 2018-0734
CVE 2018-0735
OpenSSL 1.0.2 and prior to 1.0.2q, 1.1.0 and prior to 1.1.0j, and 1.1.1 and prior to 1.1.1a are vulnerable to a timing side channel attack. The vulnerabilities exist due to flaws in OpenSSL DSA and ECDSA signature algorithm. An attacker could use variations in the signing algorithm to recover the private key.

06/12/18
CVE 2018-0732
OpenSSL 1.1.0h and prior and OpenSSL 1.0.2o and prior are prone to denial of service attack. The vulnerability exists due to a long wait in generating a key during key agreement in a TLS handshake using a DH(E) based ciphersuite when a very large prime value is sent to the client.

04/17/18
CVE 2018-0737
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.

03/27/18
CVE 2018-0733
CVE 2018-0739
OpenSSL fixed two vulnerabilities:

• Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe.
• Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected.

12/08/17
CVE 2017-3737
CVE 2017-3738
OpenSSL fixed two vulnerabilities. First, OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. However, due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. The vulnerability could let a remote user to obtain potentially sensitive information. Second, there is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. In certain situations, the vulnerability could let a remote user to possibly obtain information about a private key. No EC algorithms are affected. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).

11/02/17
CVE 2017-3735
CVE 2017-3736
OpenSSL prior to 1.0.2m and 1.1.0 and prior to 1.1.0g, are prone to two vulnerabilities. CVE-2017-3735, was previously announced in August but the update did not include in a release due to its low severity. The two vulnerabilities are the following:

• While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL since then.
• A carry propagating bug in the x86_64 Montgomery squaring procedure which only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. This vulnerability is difficult to exploit.

02/17/17
CVE 2017-3733
OpenSSL 1.0.1 and prior, 1.1.0 and prior to 1.1.0e, are prone to denial of service attack. The vulnerability exists due to a flaw in Encrypt-Then-Mac extension negotiation. Note: This vulnerability does not affect OpenSSL version 1.0.2.

01/26/17
CVE 2017-3730
CVE 2017-3731
CVE 2017-3732
Multiple vulnerabilities were fixed in the following:

• Bad parameters for a DHE or ECDHE key exchange could cause a client to crash.
• Truncated packet could cause that server or client to perform an out-of-bounds read, usually resulting in a crash.
• BN_mod_exp may produce incorrect results on x86_64. Note: a similar problem to CVE 2015-3193
  but treated separately.

01/10/17
CVE 2016-7056
OpenSSL versions 1.0.1u and prior are prone to privilege elevation vulnerability. The vulnerability exists due to a flaw in the signing function in crypto/ecdsa/ecdsa_ossl.c resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys.

11/10/16
CVE 2016-7053
CVE 2016-7054
CVE 2016-7055
OpenSSL version 1.1.0c fixed multiple vulnerabilities. The two vulnerabilities could result in denial of service attack, due to CMS Null dereference and ChaCha20/Poly1305 heap-buffer-overflow. The other vulnerability may produce incorrect results due to flaw in Montgomery multiplication.

09/26/16
CVE 2016-2180 CVE 2016-6302 CVE 2016-6303 CVE 2016-6304 CVE 2016-6305 CVE 2016-6306 CVE 2016-6307 CVE 2016-6308 CVE 2016-6309
CVE 2016-7052
Multiple vulnerabilities were fixed in the following:

• OpenSSL version prior to 1.0.1u and 1.0.2 prior to 1.0.2i, is vulnerable to out-of-bound read in TS_OBJ_print_bio().
• OpenSSL version prior to 1.0.1u and 1.0.2 prior to 1.0.2i, is vulnerable to a denial of service attack if a server uses SHA512 for TLS session ticket.
• OpenSSL version prior to 1.0.1u and 1.0.2 prior to 1.0.2i, is vulnerable to out-of-bound write in MDC2_Update().
• OpenSSL version prior to 1.0.1u, 1.0.2 prior to 1.0.2i, and 1.1.0 prior to 1.1.0a, has OCSP Status Request extension unbounded memory growth.
• OpenSSL version 1.1.0 prior to 1.1.0a, is vulnerable to a denial of service attack during a call to SSL_peek() if the peer sends an empty record.
• OpenSSL version prior to 1.0.1u and 1.0.2 prior to 1.0.2i, is vulnerable to out-of-bound read due to missing certificate message length checks.
• OpenSSL version 1.1.0 prior to 1.1.0a, is vulnerable to a denial of service attack due to excessive allocation of memory in tls_get_message_header() and dtls1_preprocess_fragment().
• OpenSSL version 1.1.0 prior to 1.1.0b, could lead to execution of arbitrary code as a result of patch did in CVE-2016-6307.
• OpenSSL version 1.0.2 prior to 1.0.2j, is vulnerable to a denial of service attack due to a null pointer exception.

08/26/16
CVE 2016-2183
OpenSSL is prone to a vulnerability called "SWEET32" attack. Since triple-DES (DES) has only a 64-bit block size, it is possible to send enough traffic to cause a cipher collision, and then use that information to recover some valuable secrets such as HTTP cookies and passwords.

08/25/16
CVE 2016-2182
OpenSSL is prone to denial of service attack. The vulnerability exists due to an out of bounds write in BN_bn2dec() in "crypto/bn/bn_print.c".

08/25/16
CVE 2016-2181
OpenSSL is prone to denial of service attack. The vulnerability exists because of the flaw in DTLS replay protection when doing handshake/renegotiation. The vulnerability could be exploited by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number causing valid packets to be dropped by the target system.

08/25/16
CVE 2016-2179
OpenSSL is prone to denial of service attack by memory exhaustion. The vulnerability exists due to the way the DTLS handles out of order record delivery. A remote attacker can open simultaneous connections and fill up the queue by sending specially crafted large messages which are never going to be used.

06/30/16
CVE 2016-2178
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

06/29/16
CVE 2016-2177
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

05/03/16
CVE 2016-2105
CVE 2016-2106
CVE 2016-2107
CVE 2016-2108
CVE 2016-2109
CVE 2016-2176
Multiple vulnerabilities were fixed in the following:

• OpenSSL version prior to 1.0.1o and 1.0.2 prior to 1.0.2c, is vulnerable to a memory corruption in the ASN.1 encoder.
• OpenSSL version prior to 1.0.1t and 1.0.2 prior to 1.0.2h, is vulnerable to padding oracle attack in AES-NI CBC MAC check.
• OpenSSL version prior to 1.0.1t and 1.0.2 prior to 1.0.2h, is vulnerable to an overflow resulting in a heap corruption due to flaw in EVP_EncodeUpdate.
• OpenSSL version prior to 1.0.1t and 1.0.2 prior to 1.0.2h, is vulnerable to an overflow resulting in a heap corruption due to flaw in EVP_EncryptUpdate.
• OpenSSL version prior to 1.0.1t and 1.0.2 prior to 1.0.2h, is vulnerable to excessive memory consumption when ASN.1 data is read from a BIO.
• OpenSSL version prior to 1.0.1t and 1.0.2 prior to 1.0.2h, is vulnerable to an overread in applications using the X509_NAME_oneline() function on EBCDIC systems.

03/15/16
CVE 2016-0702
CVE 2016-0703
CVE 2016-0704
CVE 2016-0705
CVE 2016-0797
CVE 2016-0798
CVE 2016-0799
CVE 2016-0800
CVE 2016-2842
Multiple vulnerabilities were fixed in the following:

• OpenSSL version prior to 1.0.1s and 1.0.2 prior to 1.0.2g, is vulnerable to a side channel attack on modular exponentiation. This vulnerability is also known as CacheBleed.
• OpenSSL version prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf, is vulnerable to divide-and-conquer key recovery attack.
• OpenSSL version prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf, is vulnerable to Bleichenbacher oracle flaw which can be used to decrypt sessions.
• OpenSSL version prior to 1.0.1s and 1.0.2g, is vulnerable to double free memory error in DSA code, which may cause denial of service conditions.
• OpenSSL version prior to 1.0.1s and 1.0.2g, is vulnerable to NULL pointer dereference or heap corruption, due to flaws in BN_hex2bn/BN_dec2bn functions.
• OpenSSL version prior to 1.0.1s and 1.0.2g, is vulnerable to memory leak in SRP database lookups, due to flaw in SRP_VBASE_get_by_user method.
• OpenSSL version prior to 1.0.1s and 1.0.2g, may cause memory error in BIO_*printf() functions.
• OpenSSL version prior to 1.0.1s and 1.0.2g, is vulnerable to cross-protocol attack by using a server that supports SSLv2, and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. This vulnerability is also known as DROWN.
• OpenSSL version prior to 1.0.1s and 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

01/28/16
CVE 2015-3197
CVE 2016-0701

• OpenSSL prior to 1.0.1r and 1.0.2 prior to 1.0.2f, is vulnerable to man-in-the-middle attack due to a flaw in the way malicious SSL/TLS clients negotiate SSLv2 ciphers. Note: The vulnerability can be exploited provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2.
• OpenSSL 1.0.2 and prior to 1.0.2f, is vulnerable to man-in-the-middle attack due to unsafe primes generated and stored in X9.42-style parameter files. Note: This feature only exists in 1.0.2. Also, the attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. OpenSSL will not reuse the key for DHE ciphers suites if "- SSL_OP_SINGLE_DH_USE is set", "- SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback()" is used and the callback does not provide the key, only the parameters.

12/03/15
CVE 2015-3193
CVE 2015-3194
CVE 2015-3195
CVE 2015-3196
Multiple vulnerabilities were fixed in the following:

• OpenSSL 1.0.2 and prior to 1.0.2e, may produce incorrect results on x86_64 due to flaw in BN_mod_exp.
• OpenSSL 1.0.1 and prior to 1.0.1q, 1.0.2 and prior to 1.0.2e, may crash due to flaw in signature verification routines.
• OpenSSL 0.9.8 and prior to 0.9.8zh, 1.0.0 and prior to 1.0.0t, 1.0.1 and prior to 1.0.1q, 1.0.2 and prior to 1.0.2e, when presented with a malformed X509_ATTRIBUTE structure, may leak memory.
• OpenSSL 1.0.0 and prior to 1.0.0t, 1.0.1 and prior to 1.0.1q, 1.0.2 and prior to 1.0.2e, may result in a race condition when handling PSK identify hint.

07/09/15
CVE 2015-1793
OpenSSL prior to 1.0.1p and 1.0.2d is affected by a security-bypass vulnerability. The vulnerability exists due to a flaw in certificate verification. The vulnerability could cause certain checks on untrusted certificates to be bypassed.

06/12/15
CVE 2015-1788
CVE 2015-1789
CVE 2015-1790
CVE 2015-1791
CVE 2015-1792
CVE 2015-4000
OpenSSL versions prior to 0.9.8zg, 1.0.0s, 1.0.1n, and 1.0.2b are affected by multiple vulnerabilities, including a DHE man-in-the-middle attack (Logjam), an infinite loop due to malformed ECParameters, an out-of-bounds read in X509_cmp_time, a PKCS7 crash with missing EnvelopedContent, an infinite loop in the CMS code when verifying a signedData message with an unknown hash function OID, and a race condition handling NewSessionTicket.

06/12/15
CVE 2014-8176
OpenSSL prior to 0.9.8za, 1.0.0m, and 1.0.1h is affected by a memory corruption vulnerability due to an invalid free. The vulnerability occurs if a DTLS peer receives application data between the ChangeCipherSpec and Finished messages.

03/20/15
CVE 2015-0207 CVE 2015-0208 CVE 2015-0209 CVE 2015-0285 CVE 2015-0286
CVE 2015-0287 CVE 2015-0288 CVE 2015-0289 CVE 2015-0290 CVE 2015-0291
CVE 2015-0292 CVE 2015-0293 CVE 2015-1787
OpenSSL versions before 0.9.8zf, 1.0.0 before 1.0.0r, and 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a are prone to multiple vulnerabilities. The vulnerabilities exist due to the following:

• Segmentation fault in DTLSv1_listen.
• Segmentation fault for invalid PSS parameters.
• Use After Free following d2i_ECPrivatekey error.
• Handshake with unseeded PRNG.
• Segmentation fault in ASN1_TYPE_cmp.
• ASN.1 structure reuse memory corruption.
• X509_to_X509_REQ NULL pointer dereference.
• PKCS7 NULL pointer dereferences.
• "Multiblock" corrupted pointer.
• OpenSSL 1.0.2 ClientHello sigalgs denial of service.
• Crafted base 64 data could trigger a segmentation fault or memory corruption.
• Denial of service through reachable assert in SSLv2 servers.
• Denial of service in empty CKE with client auth and DHE.

01/12/15
CVE 2015-0204 CVE 2015-0205 CVE 2015-0206 CVE 2014-3569 CVE 2014-3570
CVE 2014-3571 CVE 2014-3572 CVE 2014-8275
OpenSSL versions before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are prone to multiple vulnerabilities. The vulnerabilities exist due to the following:

• RSA silently downgrades to EXPORT_RSA.
• "Diffie-Hellman (DH)" client certificates accepted without verification.
• DTLS memory leak in dtls1_buffer_record.
• no-ssl3 configuration sets method to NULL.
• Bignum squaring may produce incorrect results.
• DTLS segmentation fault in dtls1_get_record.
• ECDHE silently downgrades to ECDH.
• Certificate fingerprints can be modified.

10/22/14
CVE 2014-3513 CVE 2014-3566 CVE 2014-3567 CVE 2014-3568
OpenSSL versions prior to 1.0.1j, 1.0.0o, and 0.9.8zc are prone to multiple vulnerabilities, including denial of service, man-in-the-middle attacks, and compromise a vulnerable system.

08/11/14
CVE 2014-3505 CVE 2014-3506 CVE 2014-3507 CVE 2014-3508 CVE 2014-3509
CVE 2014-3510 CVE 2014-3511 CVE 2014-3512 CVE 2014-5139
OpenSSL versions prior to 1.0.1i, 1.0.0n, and 0.9.8zb are prone to multiple vulnerabilities, including denial of service attacks, disclosure of sensitive information, and compromise a vulnerable system.

06/06/14
CVE 2014-0195
CVE 2014-0221
CVE 2014-3470
OpenSSL versions 1.0.1g and prior are prone to multiple vulnerabilities, which can be exploited by attackers to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

06/06/14
CVE 2014-0224
OpenSSL is affected by a vulnerability in the handling of ChangeCipherSpec (CCS) messages. CCS messages received too early from the client may be processed before a master secret has been established, causing a zero-length master secret to be used. This could allow man-in-the-middle attackers to decrypt or hijack the session.

Exploitation of this vulnerability is most likely in OpenSSL 1.0.1 before 1.0.1h. However, version 1.0.0 before 1.0.0m, and all versions prior to 0.9.8za are also affected.

05/06/14
CVE 2014-0198
OpenSSL versions 1.0.1g and prior are prone to a vulnerability, which can be exploited by remote attackers to cause a DoS (Denial of Service). The vulnerability exists due to a NULL pointer dereference error in the do_ssl3_write function. The vulnerability can be exploited when SSL_MODE_RELEASE_BUFFERS flag is enabled.

04/24/14
CVE 2010-5298
OpenSSL versions 1.0.1g and prior, when SSL_MODE_RELEASE_BUFFERS is enabled, are vulnerable to remote content injection. The vulnerability is due to a us-after-free error in the ssl3_read_bytes() function in ssl/s3_pkt.c.

04/08/14
CVE 2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

03/24/14
CVE 2014-0076
OpenSSL versions 1.0.1f and prior are prone to a vulnerability, which can be exploited by malicious, local users to disclose certain sensitive information. The vulnerability exists due to an implementation error in the Elliptic Curve Digital Signature Algorithm (ECDSA). The vulnerability can be exploited to disclose a nonce value and subsequently derive the secret key via the FLUSH+RELOAD Cache side-channel attack.

01/07/14
CVE 2013-4353
CVE 2013-6449
CVE 2013-6450
OpenSSL are prone to multiple vulnerabilities which can be exploited to cause a denial of service. These vulnerabilities are due to the following:

• An error in the "ssl_get_algorithm2()" function in ssl/s3_lib.c.
• An error when handling DTLS.
• An error in the "ssl3_take_mac()" function in ssl/s3_both.c when setting-up new cipher.

02/08/13
CVE 2012-2686
CVE 2013-0166
CVE 2013-0169
OpenSSL versions prior to 0.9.8y, 1.0.0k, and 1.0.1d are prone to multiple vulnerabilities. These vulnerabilities can be exploited by malicious people to disclose sensitive information or cause DoS (Denial of Service).

05/14/12
CVE 2012-2333
OpenSSL versions prior to 1.0.1c, 1.0.0j, and 0.9.8x are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to an integer underflow error within the parsing of TLS record length of Datagram Transport Layer Security (DTLS) packets using CBC encryption mode, which can be exploited to cause a crash.

04/24/12
CVE 2012-2110
CVE 2012-2131
OpenSSL before 0.9.8w, 1.0.1a, and 1.0.0i is prone to a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library. The vulnerability is caused due to a type casting error in the "asn1_d2i_read_bio()" function when processing DER format data and can be exploited to cause a heap-based buffer overflow.

03/19/12
CVE 2012-0884
CVE 2012-1165
OpenSSL before 0.9.8u or 1.0.0h is prone to two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service) in an application using the library.

03/01/12
CVE 2006-7250
OpenSSL 0.9.8t, 1.0.0g, and prior are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to a NULL-pointer dereference error in the "mime_hdr_cmp()" function when parsing certain MIME headers and can be exploited to cause a crash.

02/16/12
CVE 2010-3864
OpenSSL versions 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a have a race condition in the TLS extension parsing code. The vulnerability might allow remote attackers to execute arbitrary code via client data which triggers a heap-based buffer overflow when multi-threading and internal caching are enabled on a TLS server.

01/30/12
CVE 2012-0050
OpenSSL versions 1.0.0f and 0.9.8s are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

01/12/12
CVE 2011-4108 CVE 2011-4109 CVE 2011-4576 CVE 2011-4577 CVE 2011-4619
CVE 2012-0027
OpenSSL before 0.9.8s is prone to multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), and potentially compromise an application using the library.

09/13/11
CVE 2011-3207
CVE 2011-3210
OpenSSL before 1.0.0e is prone to two vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

05/25/11
CVE 2011-1945
OpenSSL 0.x and 1.x are prone to a vulnerability, which can be exploited by malicious people to disclose potentially sensitive information. The weakness is caused due to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) not properly preventing timing attacks, which can be exploited to e.g. disclose the private key of a TLS server.

02/28/11
CVE 2011-0014
OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c are prone to a security vulnerability that affects Online Certificate Status Protocol (OCSP) stapling. Attackers can exploit this issue to cause a denial-of-service condition in OpenSSL. If OpenSSL is used in an application, parsed OCSP nonce extensions could be used to obtain sensitive information.

12/17/10
CVE 2010-4180
OpenSSL prior to 0.9.8q, and 1.0.0 prior to 1.0.0c, are affected by a vulnerability which could allow the ciphersuite to be downgraded to a weaker one in some cases. The vulnerability is caused by an old bug workaround.

12/17/10
CVE 2010-4252
OpenSSL prior to 0.9.8q, and 1.0.0 prior to 1.0.0c, are affected by a vulnerability in the JPAKE implementation. The vulnerability could allow successful validation by someone with no knowledge of the shared secret. Note that JPAKE is not compiled into OpenSSL by default.

06/29/10
CVE 2010-1633
OpenSSL 1.0.0 is prone to a security-bypass vulnerability. Successful exploit may allow attackers to potentially bypass key checks in applications using the affected library.

06/29/10
CVE 2010-0742
OpenSSL 0.9.8h through 0.9.8n and OpenSSL 1.0.x prior to 1.0.0a are prone to a remote memory-corruption vulnerability. An attacker can exploit this issue by supplying specially crafted structures to a vulnerable application that uses the affected library. Successfully exploiting this issue can allow the attacker to execute arbitrary code. Failed exploit attempts will result in a denial-of-service condition.

04/26/10
CVE 2010-0740
OpenSSL versions 0.9.8f through 0.9.8m are prone to a denial-of-service vulnerability caused by a NULL-pointer dereference. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

04/14/10
CVE 2010-0433
OpenSSL before 0.9.8n is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

04/14/10
CVE 2009-3245
OpenSSL before 0.9.8m is prone to an unspecified vulnerability, due to a NULL return value from bn_wexpand function calls.

04/07/10
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.

06/24/09
CVE 2009-1386
OpenSSL before 0.9.8i is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference condition. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

06/22/09
CVE 2009-1379
OpenSSL before 1.0.0 Beta 2 is prone to a vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c, that may allow attackers to cause denial-of-service conditions.

06/10/09
CVE 2009-1377
CVE 2009-1378
OpenSSL 0.9.8k and prior are prone to multiple vulnerabilities that may allow attackers to cause denial-of-service conditions.

04/13/09
CVE 2009-0590
CVE 2009-0591
CVE 2009-0789
OpenSSL before 0.9.8k is prone to multiple vulnerabilities that may allow attackers to trigger denial-of-service conditions or bypass certain security checks.

01/12/09
CVE 2008-5077
OpenSSL version 0.9.8i and earlier does not properly check the return value of the EVP_VerifyFinal function which allows attackers to use a malformed SSL/TLS signature to bypass security.

02/09/11
CVE 2008-1678
A flaw was found in the handling of compression structures between mod_ssl and OpenSSL. A remote attacker enabling compression in an SSL handshake could cause a memory leak in the server, leading to a denial of service.

06/06/08
CVE 2008-0891
CVE 2008-1672
OpenSSL 0.9.8f and 0.9.8g have multiple Denial of Service vulnerabilities. A remote attacker could send a crafted packet to a server application using OpenSSL and cause it to crash (CVE-2008-0891). If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash via a TLS handshake(CVE-2008-1672).

05/19/08
CVE 2008-0166
Debian and Ubuntu versions of OpenSSL 0.9.8c through 0.9.8f have a vulnerability in the random number generator due to lack of entropy. This makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.

10/26/07
CVE 2007-4995
OpenSSL 0.9.8 prior to 0.9.8f has an off-by-one error in the DTLS implementation that allows remote attackers to execute arbitrary code.

10/04/07
CVE 2007-5135
OpenSSL versions 0.9.7l, 0.9.8d, and 0.9.8e have a one-byte buffer overflow caused by the fix for CVE 2006-3738 to the SSL_get_shared_ciphers vulnerability.

08/10/07
CVE 2007-3108
OpenSSL versions of 0.9.8 up to and including 0.9.8e have an error in the BN_from_montgomery function in crypto/bn/bn_mont.c where Montgomery multiplication is not properly performed. This might allow local users to conduct a side-channel attack and retrieve RSA private keys.

10/03/06
CVE 2006-2937
CVE 2006-2940
CVE 2006-3738
CVE 2006-4343
OpenSSL versions 0.9.7l and 0.9.8d fixed multiple vulnerabilities, including two denial-of-service vulnerabilities in parsing ASN.1 data, a buffer overflow in the SSL_get_shared_ciphers function, and a client denial of service when OpenSSL is used to created an SSLv2 connection.

09/11/06
CVE 2006-4339
OpenSSL when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash. This allows remote attackers to forge a PKCS #1 v1.5 signature. Versions before 0.9.7, 0.9.7 before 0.9.7k and 0.9.8 before 0.9.8c are vulnerable.

10/18/05
CVE 2005-2969
OpenSSL versions prior to 0.9.7h and 0.9.8a have a vulnerability if the SSL_OP_MSIE_SSLV2_RSA_PADDING option is set. This option is set by the SSL_OP_ALL option , which is intended to work around various bugs in third-party software that might prevent interoperability. In the event that this option is set, the verification steps necessary to prevent the use of SSL 2.0 can be disabled. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported only as a fallback.

03/17/04
CVE 2004-0079
The assignment of a value to a null pointer in the do_change_cipher_spec function could allow a remote attacker to crash OpenSSL by sending a specially crafted SSL/TLS handshake to an application using OpenSSL. Depending upon the application, this attack could lead to a denial of service. OpenSSL 0.9.6c through 0.9.6l and 0.9.7a through 0.9.7c are affected by this vulnerability.

03/17/04
CVE 2004-0112
A flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites could allow a remote attacker to crash OpenSSL by sending a specially crafted SSL/TLS handshake to an application configured to use Kerberos ciphersuites. OpenSSL 0.9.7a through 0.9.7c are affected by this vulnerability if used in applications which use Kerberos ciphersuites.

03/23/04
CVE 2004-0081
Due to a flaw in the handling of unknown message types, a remote attacker could cause OpenSSL to enter an endless loop, which could result in a denial of service to the application using OpenSSL. OpenSSL prior to version 0.9.6d is affected by this vulnerability.

11/07/03
CVE 2003-0851
A bug in OpenSSL 0.9.6k (and probably earlier) allows certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows, this large recursion causes OpenSSL to crash. A remote attacker could exploit this flaw if he or she can send arbitrary ASN.1 sequences that would cause OpenSSL to crash, e.g., by sending a client certificate to a SSL/TLS enabled server that is configured to accept them.

OpenSSL uses a library which performs Abstract Syntax Notation 1 (ASN.1) encoding, which is an international standard for transmitting data between applications. This library contains multiple errors which can be exploited to produce a denial of service. In one case, there is a possibility of an attacker executing arbitrary code.

Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This means that all SSL/TLS servers that use OpenSSL can be attacked using any of the first three vulnerabilities below, even if client authentication is disabled.

• 10/02/03
  CVE 2003-0545
  Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. OpenSSL version 0.9.7 prior to 0.9.7c is vulnerable.
• 10/02/03
  CVE 2003-0543
  Unusual ASN.1 tag values can cause an out of bounds read. OpenSSL prior to 0.9.6k and 0.9.7c is vulnerable.
• 10/02/03
  CVE 2003-0544
  If OpenSSL is set to ignore public key decoding errors, a malformed public key in a certificate will crash the verify code. This is unlikely to affect production code since public key decode errors would normally only be ignored for debugging purposes. OpenSSL prior to 0.9.6k and 0.9.7c is vulnerable.
• 07/31/02
  CVE 2002-0659
  The ASN.1 library contains errors which could cause malformed encodings to be parsed incorrectly, leading to a denial of service. OpenSSL prior to 0.9.6e and pre-releases prior to 0.9.7 beta 2 and possibly other implementations of the SSL protocol are affected by this vulnerability.

10/09/03
CVE 2002-1568
A die command in the OpenSSL library prior to OpenSSL 0.9.6f could allow a remote attacker to terminate Apache or any other OpenSSL-enabled service by sending a specially crafted SSLv2 CLIENT_MASTER_KEY message.

07/31/02
OpenSSL versions prior to 0.9.6e (and pre-release versions prior to 0.9.7 beta 2) are affected by multiple vulnerabilities which could allow remote execution of commands or denial of service:

• A buffer overflow in the SSLv2 handshake process in OpenSSL servers, exploitable by a remote attacker sending a malformed client key
• A buffer overflow in the SSLv3 handshake process in OpenSSL clients, exploitable by a malicious web site sending a large session ID
• CVE 2002-0656
  CVE 2002-0657
  A buffer overflow in the SSLv3 handshake process in OpenSSL servers with Kerberos enabled, exploitable by a remote attacker sending a malformed client key (OpenSSL 0.9.7 pre-releases only.)
• CVE 2002-0655
  Buffer overflows in the buffers used to hold ASCII representations of integers in OpenSSL clients and servers on 64-bit platforms.

03/04/03
CVE 2003-0078
A weakness in OpenSSL's implementation of CBC-mode ciphers could allow a remote attacker to decrypt data passing over the network. By sending specially crafted ciphertext blocks in place of legitimate ciphertext blocks and measuring the time it takes to receive a response, an attacker could gain enough information to decrypt any information that is sent repeatedly over the network.

OpenSSL prior to 0.9.6i, and OpenSSL 0.9.7 prior to 0.9.7a are affected by this vulnerability if CBC mode is used. Exploitation would be very difficult and would require the ability to intercept legitimate traffic containing hundreds of blocks with low network latency.

03/20/03
CVE 2003-0147
This is another timing attack. A remote attacker could recover the RSA secret key from OpenSSL if RSA blinding is turned off, which is the usual configuration. OpenSSL 0.9.7a and 0.9.6i are affected by this vulnerability.

CVE 2001-1141
A flaw in OpenSSL prior to 0.9.6b could allow an attacker to determine the internal state of the pseudo-random number generator (PRNG) by sending a number of one-byte requests to the PRNG, thus allowing the attacker to predict future random numbers. This vulnerability is not exploitable in Apache or any other known applications which use the OpenSSL library because they do not make one-byte requests to the PRNG. However, this is still a weakness in the cryptography and should be addressed.

Resolution

OpenSSL should be upgraded to version 3.2.2 for 3.2.x, 3.1.6 for 3.1.x, 3.0.14 for 3.0.x,when available.

Note: Premium support customers of OpenSSL for 1.1.1 should upgrade to version 1.1.1y or higher and 1.0.2 should upgrade to 1.0.2zj.

VERSIONS 1.1.0, 1.0.3, 1.0.1, 1.0.0, AND 0.9.8 VERSIONS HAVE REACHED EOL AND NO MORE SECURITY FIXES WILL BE PROVIDED. USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

Since the overflow bug in the AVX2 Montgomery multiplication procedure is considered low severity, a new release of OpenSSL 1.1.0 at this time is not issued. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.

For the OpenSSL Triple-DES Cipher Block Collision Vulnerability, OpenSSL has mitigated the issue:

• For 1.0.2 and 1.0.1, we removed the triple-DES ciphers from the "HIGH" keyword and put them into "MEDIUM." Note that we did not remove them from the "DEFAULT" keyword.
• For the 1.1.0 release, we treat triple-DES just like we are treating RC4. It is not compiled by default; you have to use "enable-weak-ssl-ciphers" as a config option. Even when those ciphers are compiled, triple-DES is only in the "MEDIUM" keyword. In addition, because this is a new release, we also removed it from the "DEFAULT" keyword.

Recompile any OpenSSL applications statically linked to OpenSSL libraries. Another option is to install a fix from your vendor.

Apply a patch or, as a workaround, recompile OpenSSL with -DOPENSLL_NO_BUF_FREELIST.

The random number generator weakness for the Debian and Ubuntu platform should be patched.

Where can I read more about this?

The OpenSSL Security Advisory for 25 January 2024 was reported in 20240125.

The OpenSSL Security Advisory for 9 January 2024 was reported in 20240109.

The OpenSSL Security Advisory for 6 November 2023 was reported in 20231106.

The OpenSSL Security Advisory for 24 October 2023 was reported in 20231024.

The OpenSSL Security Advisory for 8 September 2023 was reported in 20230908.

The Excessive time spent checking DH keys and q parameter values were reported in 20230719 and 20230731.

The OpenSSL Security Advisory for 14 July 2023 was reported in 20230714.

The OpenSSL Security Advisory for 30 May 2023 was reported in 20230530.

For more information on the OpenSSL Security Advisory for 20 April 2023, see 20230420.

For more information on the OpenSSL Security Advisory for 28 March 2023, see 20230328.

For more information on the OpenSSL Security Advisory for 22 March 2023, see 20230322.

For more information on the OpenSSL Security Advisory for 07 February 2023, see 20230207.

For more information on the X.509 Policy Constraints Double Locking, see 20221213.

For more information on the OpenSSL Security Advisory for 11 October 2022, see 20221101.

For more information on the OpenSSL Security Advisory for 11 October 2022, see 20221011.

For more information on the OpenSSL Security Advisory for 05 July 2022, see 20220705.

For more information on the OpenSSL Security Advisory for 22 June 2022, see commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345.

For more information on the OpenSSL Security Advisory for 21 June 2022, see 20220621.

The Security Advisory for 03 March 2022 as reported in 20220503.

The Security Advisory for 15 March 2022 was reported in CVE-2022-0778.

The Security Advisory for 28 January 2022 was reported in CVE-2021-4160.

The Security Advisory for 14 December 2022 was reported in CVE-2021-4160.

For more information on the OpenSSL Security Advisory for 24 August 2021, see 20210824.

For more information on the OpenSSL Security Advisory for 25 March 2021, see 20210325.

For more information on the OpenSSL Security Advisory for 16 February 2021, see 20210216.

The Security Advisory for 08 December 2020 was reported in OpenSSL Security Advisory 08 December 2020.

The Security Advisory for 21 September 2020 was reported in OpenSSL Security Advisory 21 September 2020.

The Security Advisory for 21 April 2020 was reported in OpenSSL Security Advisory 21 April 2020.

For the OpenSSL Security Advisory for 6 December 2019, see OpenSSL Security Advisory 6 December 2019.

For the OpenSSL Security Advisory for September 2019 fixed multiple vulnerabilities, see OpenSSL Security Advisory 10 September 2019.

For the OpenSSL OPENSSLDIR privilege elevation vulnerability (CVE-2019-1552), see OpenSSL Security Advisory 30 July 2019.

For the OpenSSL ChaCha20-Poly1305 with long nonces vulnerability, see OpenSSL Security Advisory 6 March 2019.

For the OpenSSL 0-byte record padding oracle vulnerability, see OpenSSL Security Advisory 26 February 2019.

For the OpenSSL on SMT/Hyper-Threading architectures side-channel vulnerability, see CVE-2018-5407.

For the OpenSSL signature algorithm vulnerabilities, see OpenSSL Security Advisory 30 October 2018 and OpenSSL Security Advisory 29 October 2018.

For the OpenSSL Client Denial of Service Vulnerability, see OpenSSL Security Advisory 12 June 2018.

The OpenSSL Cache timing vulnerability in RSA Key Generation was reported in OpenSSL Security Advisory 16 Apr 2018.

The two vulnerabilities fixed in OpenSSL 1.1.0h were reported in OpenSSL Security Advisory 27 Mar 2018.

The two vulnerabilities fixed in OpenSSL 1.0.2n were reported in OpenSSL Security Advisory 07 Dec 2017.

The two vulnerabilities fixed in OpenSSL 1.0.2m and 1.1.0g were reported in OpenSSL Security Advisory 02 Nov 2017.

The vulnerability in Encrypt-Then-Mac renegotiation fixed in OpenSSL was posted in OpenSSL Security Advisory 16 Feb 2017.

The multiple vulnerabilities fixed in OpenSSL Security Advisory 20170126 were reported in OpenSSL Security Advisory 26 Jan 2017.

The OpenSSL ECDSA P-256 timing attack key recovery vulnerability was reported in CVE-2016-7056.

The OpenSSL Security Advisory 20161110 were reported in OpenSSL Security Advisory 10 Nov 2016.

The OpenSSL Security Advisory 20160922 were reported in OpenSSL Security Advisory 22 Sep 2016, CVE-2016-6309, and CVE-2016-7052.

The OpenSSL Triple-DES Cipher Block Collision Vulnerability was reported in Changes between 1.0.2h and 1.1.0, Changes between 1.0.2h and 1.0.2i, and Changes between 1.0.1t and 1.0.1u.

The BN_bn2dec() vulnerability in OpenSSL was reported in CVE-2016-2182.

The OpenSSL DTLS replay protection bypass causing denial of service was reported in CVE-2016-2181.

The OpenSSL DTLS buffered messages denial of service vulnerability was reported in CVE-2016-2179.

The OpenSSL non-constant time codepath vulnerability was reported in CVE-2016-2178.

The OpenSSL integer overflow vulnerability was reported in CVE-2016-2177.

The OpenSSL Security Advisory 20160503 was reported in OpenSSL Security Advisory 20160503.

The multiple vulnerabilities fixed in OpenSSL 1.0.2g and 1.0.1s were reported in OpenSSL Security Advisory 1 Mar 2016.

The two vulnerabilities fixed in OpenSSL 1.0.2f and 1.0.1r were reported in OpenSSL Security Advisory 28 Jan 2016.

The multiple vulnerabilities fixed in OpenSSL 1.0.2e, 1.0.1q, 1.0.0t, and 0.9.8zh were reported in OpenSSL Security Advisory 3 Dec 2015.

The alternative chains certificate forgery was reported in OpenSSL Security Advisory 9 July 2015.

The vulnerabilities fixed in OpenSSL 1.0.2b, 1.0.1n, 1.0.0s, and 0.9.8zg and the invalid free in DTLS were reported in an OpenSSL Security Advisory.

The multiple vulnerabilities fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf were reported in OpenSSL Security Advisory 20150319.

The multiple vulnerabilities fixed in OpenSSL 1.0.1k, , 1.0.0p, and 0.9.8zd were reported in OpenSSL Security Advisory 20150108.

The vulnerabilities fixed in OpenSSL 1.0.1j, 1.0.0o, and 0.9.8zc were reported in OpenSSL Security Advisory 20141015.

The vulnerabilities fixed in OpenSSL 1.0.1i, 1.0.0n, and 0.9.8zb were reported in OpenSSL Security Advisory 20140806.

The OpenSSL multiple vulnerabilities were reported in OpenSSL Security Advisory 20140605.

For a discussion of the CCS injection vulnerability, see ImperialViolet.

The OpenSSL do_ssl3_write function NULL pointer dereference vulnerability was reported in s3_pkt.c.

The OpenSSL ssl3_read_bytes() function use-after-free vulnerability was reported in OSVDB 105763. The OpenSSL "Heartbleed" vulnerability was reported in openssl-heartbleed-bug-live-blog.

The OpenSSL ECDSA Nonces Recovery Vulnerability was reported in Bugtraq.

The multiple vulnerabilities fixed in OpenSSL 1.0.1f were reported in SecurityTracker ID 1029548, SecurityTracker ID 1031594, and OpenSSL vulnerabilities.

The multiple vulnerabilities fixed in OpenSSL 0.9.8y, 1.0.0k, and 1.0.1d were reported in Bugtraq, Bugtraq, and SecurityTracker ID 1029190.

The TLS Packet Parsing Integer Underflow Denial of Service vulnerability was reported in SecurityTracker ID 1027057.

The OpenSSL "asn1_d2i_read_bio()" DER Format Data Processing vulnerability was reported in SecurityTracker ID 1026957.

The CMS / PKCS #7 Decryption and NULL Pointer Dereference vulnerabilities were reported in Bugtraq and SecurityTracker ID 1026787.

The ASN.1 MIME Header Parsing NULL Pointer Dereference vulnerability was reported in Bugtraq.

The Race Condition vulnerability was reported in SecurityTracker ID 1024743.

The DTLS Denial of Service vulnerability was reported in SecurityTracker ID 1026548.

The multiple vulnerabilities fixed in OpenSSL 0.9.8s were reported in Bugtraq, Bugtraq, and Bugtraq.

The CRL Bypass and ECDH Denial of Service vulnerabilities were reported in SecurityTracker ID 1026012.

The ECDSA Timing Attack vulnerability was reported in Secunia Advisory SA44572.

The OCSP Stapling 'ClientHello' Handshake Message Parsing Security vulnerability was reported in Bugtraq ID 46264.

The ciphersuite downgrade vulnerability and the JPAKE validation error were reported in OpenSSL Security Advisory - 2 December 2010.

The EVP_PKEY_verify_recover() Invalid Return Value Security Bypass vulnerability was reported in Bugtraq ID 40503.

The Cryptographic Message Syntax Memory Corruption vulnerability was reported in Bugtraq ID 40502.

The ssl3_get_record() Remote Denial of Service vulnerability was reported in Bugtraq ID 39013.

The dtls1_retrieve_buffered_fragment() Remote Denial of Service vulnerability was reported in Bugtraq ID 38533.

The bn_wexpend() Error Handling unspecified vulnerability was reported in Bugtraq ID 38562.

The Multiple Vendor TLS Protocol Session Renegotiation Security vulnerability was reported in Bugtraq ID 36935.

The ChangeCipherSpec DTLS Packet Denial of Service vulnerability was reported in Bugtraq ID 35174.

The dtls1_retrieve_buffered_fragment() DTLS Packet Denial of Service vulnerability was reported in Bugtraq ID 35138.

The DTLS Packets multiple Denial of Service vulnerabilities were reported in Bugtraq ID 35001.

The multiple vulnerabilities fixed in OpenSSL 0.9.8k were reported in Bugtraq ID 34256.

The Security Bypass in version 0.9.8i and earlier was reported in Ocert Advisory 2008-016.

The OpenSSL Compression Memory Leak Remote Denial of Service Vulnerability was reported in Bugtraq ID 31692.

The OpenSSL 0.9.8f and 0.9.8g multiple Denial of Service vulnerabilities were reported in Bugtraq ID 29405.

The Debian and Ubuntu random number generator weakness was reported in SecurityTracker ID 1020017.

The off-by-one DTLS implementation vulnerability was reported in SecurityTracker ID 1018810.

The one byte buffer overflow in the SSL_get_shared_ciphers function was reported in SecurityTracker ID 1018755 and SecurityTracker ID 1017522.

The BN_from_montgomery side-channel attack vulnerability was reported in Bugtraq ID 25163.

The vulnerabilities corrected by OpenSSL 0.9.7l and 0.9.8d were reported in an OpenSSL security advisory.

The RSA signature forgery for exponent 3 vulnerability was reported in OpenSSL security advisory. Additional information on the vulnerability can be found at ietf-openpgp msg14307.

The Potential SSL 2.0 Rollback vulnerability was reported in an OpenSSL security advisory.

The null-pointer assignment and out-of-bounds read vulnerabilities were reported in US-CERT advisory TA04-078A and an OpenSSL security advisory.

The Windows-based recursion denial-of-service vulnerability was reported in a Bugtraq posting and confirmed in an OpenSSL Advisory.

The recent batch of ASN.1 encoding errors were reported in CERT Advisory 2003-26 and an OpenSSL Advisory.

The buffer overflows and older ASN.1 encoding errors were reported in CERT Advisory 2002-23 and an OpenSSL Advisory.

The denial-of-service vulnerability in OpenSSL 0.9.6e was posted to Bugtraq.

The PRNG vulnerability was reported in an OpenSSL Advisory.

The CBC vulnerability was reported in another OpenSSL Advisory.

The RSA timing vulnerability was reported in another OpenSSL Advisory and in the paper Remote Timing Attacks are Practical by Dan Boneh and David Brumley.