Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-5077

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2008-5077
Last Modified 30 Oct 2012 11:06:44
Published 07 Jan 2009 12:30:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-5077

Summary

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

Vulnerable Systems

Application

  • Openssl 0.9.1c

  • Openssl 0.9.2b

  • Openssl 0.9.3

  • Openssl 0.9.3a

  • Openssl 0.9.4

  • Openssl 0.9.5

  • Openssl 0.9.5a

  • Openssl 0.9.6

  • Openssl 0.9.6a

  • Openssl 0.9.6b

  • Openssl 0.9.6c

  • Openssl 0.9.6d

  • Openssl 0.9.6e

  • Openssl 0.9.6f

  • Openssl 0.9.6g

  • Openssl 0.9.6h

  • Openssl 0.9.6i

  • Openssl 0.9.6j

  • Openssl 0.9.6k

  • Openssl 0.9.6l

  • Openssl 0.9.6m

  • Openssl 0.9.7

  • Openssl 0.9.7a

  • Openssl 0.9.7b

  • Openssl 0.9.7c

  • Openssl 0.9.7d

  • Openssl 0.9.7e

  • Openssl 0.9.7f

  • Openssl 0.9.7g

  • Openssl 0.9.7h

  • Openssl 0.9.7i

  • Openssl 0.9.7j

  • Openssl 0.9.7k

  • Openssl 0.9.7l

  • Openssl 0.9.8

  • Openssl 0.9.8a

  • Openssl 0.9.8b

  • Openssl 0.9.8c

  • Openssl 0.9.8d

  • Openssl 0.9.8e

  • Openssl 0.9.8f

  • Openssl 0.9.8g

  • Openssl 0.9.8h


References

CERT - TA09-133A

VUPEN - ADV-2009-1338

VUPEN - ADV-2009-1297

VUPEN - ADV-2009-0913

VUPEN - ADV-2009-0904

VUPEN - ADV-2009-0558

VUPEN - ADV-2009-0362

VUPEN - ADV-2009-0289

VUPEN - ADV-2009-0040

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2009-0004.html

UBUNTU - USN-704-1

BUGTRAQ - 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim

MISC - http://www.ocert.org/advisories/ocert-2008-016.html

CONFIRM - http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html

CONFIRM - http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2009-038.htm

CONFIRM - http://support.apple.com/kb/HT3549

SUNALERT - 250826

SLACKWARE - SSA:2009-014-01

GENTOO - GLSA-200902-02

SECUNIA - 39005

SECUNIA - 35108

SECUNIA - 35074

SECUNIA - 34211

SECUNIA - 33765

SECUNIA - 33673

SECUNIA - 33557

SECUNIA - 33436

SECUNIA - 33338

HP - SSRT090053

HP - SSRT090002

SUSE - SUSE-SU-2011:0847

SUSE - openSUSE-SU-2011:0845

APPLE - APPLE-SA-2009-05-12

SECTRACK - 1021523

BID - 33150

BUGTRAQ - 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses

REDHAT - RHSA-2009:0004

CONFIRM - http://www.openssl.org/news/secadv_20090107.txt

SECUNIA - 33394

HP - HPSBMA02426

HP - HPSBUX02418

Related Patches

Apple 2009-05-12 Security Update 2009-002 Server (Tiger PPC)

Apple 2009-05-12 Security Update 2009-002 (Tiger PPC)

Apple 2009-05-12 Mac OS X 10.5.7 Combo Update

Apple 2009-05-12 Mac OS X Server 10.5.7 Update

Apple 2009-05-12 Mac OS X 10.5.7 Update

Apple 2009-05-12 Security Update 2009-002 (Tiger Intel)

Apple 2009-05-12 Mac OS X Server 10.5.7 Combo Update

Novell SUSE 2011:7645 compat-openssl097g security update for SLE 10 SP4 i586


Last Updated: 27 May 2016 10:49:48