Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2002-0082

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2002-0082
Last Modified 10 Sep 2008 03:11:17
Published 15 Mar 2002 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2002-0082

Summary

The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.

Vulnerable Systems

Application

  • Apache-ssl 1.40

  • Apache-ssl 1.41

  • Apache-ssl 1.42

  • Apache-ssl 1.44

  • Apache-ssl 1.45

  • Apache-ssl 1.46

  • Mod Ssl 2.7.1

  • Mod Ssl 2.8

  • Mod Ssl 2.8.1

  • Mod Ssl 2.8.2

  • Mod Ssl 2.8.3

  • Mod Ssl 2.8.4

  • Mod Ssl 2.8.5

  • Mod Ssl 2.8.6


References

XF - apache-modssl-bo(8308)

CONFIRM - http://www.apacheweek.com/issues/02-03-01#security

BUGTRAQ - 20020301 Apache-SSL buffer overflow (fix available)

BID - 4189

HP - HPSBUX0204-190

HP - HPSBTL0203-031

REDHAT - RHSA-2002:045

REDHAT - RHSA-2002:042

REDHAT - RHSA-2002:041

ENGARDE - ESA-20020301-005

MANDRAKE - MDKSA-2002:020

DEBIAN - DSA-120

CALDERA - CSSA-2002-011.0

BUGTRAQ - 20020227 mod_ssl Buffer Overflow Condition (Update Available)

BUGTRAQ - 20020304 Apache-SSL 1.3.22+1.47 - update to security fix

COMPAQ - SSRT0817

CONECTIVA - CLA-2002:465


Last Updated: 27 May 2016 10:36:46