Skip to navigation

CVE Database

CVE-2012-2110

Impact: Important
Public: 2012-04-19
CWE: CWE-681->CWE-119
Bugzilla: 814185: CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow
IAVA: 2012-A-0153

Details

The MITRE CVE dictionary describes this issue as:

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

Find out more about CVE-2012-2110 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 7.5
Base Metrics: AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Red Hat Enterprise Linux ES (v. 3 ELS) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux ES (v. 4 ELS) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux EUS (v. 5.6 server) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux Long Life (v. 5.3 server) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux Server EUS (v. 6.0) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux Server EUS (v. 6.1) (openssl) RHSA-2012:0522 April 25, 2012
Red Hat Enterprise Linux version 5 RHSA-2012:0518 April 24, 2012
Red Hat Enterprise Linux version 6 RHSA-2012:0518 April 24, 2012
Red Hat JBoss Enterprise Application Platform 5.1 (openssl) RHSA-2012:1307 September 24, 2012
Red Hat JBoss Enterprise Application Platform 6.0 (openssl) RHSA-2012:1308 September 24, 2012
Red Hat JBoss Web Server 1.0 RHSA-2012:1306 September 24, 2012

External References

http://www.openssl.org/news/secadv_20120419.txt

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.