OpenSSL CVE-2015-1790 Vulnerability

description-logoDescription

Severity: ModerateThe PKCS#7 parsing code does not handle missing inner EncryptedContentcorrectly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobswith missing content and trigger a NULL pointer dereference on parsing.Applications that decrypt PKCS#7 data or otherwise parse PKCS#7structures from untrusted sources are affected. OpenSSL clients andservers are not affected.This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.OpenSSL 1.0.2 users should upgrade to 1.0.2bOpenSSL 1.0.1 users should upgrade to 1.0.1nOpenSSL 1.0.0 users should upgrade to 1.0.0sOpenSSL 0.9.8 users should upgrade to 0.9.8zgThis issue was reported to OpenSSL on 18th April 2015 by MichalZalewski (Google). The fix was developed by Emilia Ksper of theOpenSSL development team.

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2015-1790