Security Bulletin: Vulnerabilities in OpenSSL (CVE-1015-1793)

Abstract: An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

Content:

VULNERABILITY DETAILS:

CVEID:CVE-2015-1793

DESCRIPTION:

This issue only effects OpenSSL 1.0.2c, 1.0.2b, 1.0.10, 1.0.1n

An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL).

NO AFFECTED PRODUCTS AND VERSIONS due to use of OpenSSL 1.0.1m:

IBM Aspera Faspex Application 3.9.2 and earlier

IBM Aspera Shares 1.9.2 and earlier

IBM Aspera Proxy 1.2.2 and earlier

IBM Aspera Enterprise Server Client 3.5.5 and earlier

IBM Aspera Point to Point 3.5.5 and earlier

IBM Aspera Enterprise Server 3.5.5 and earlier

IBM Aspera OnDemand 3.5.4 and earlier

IBM Aspera Orchestrator 2.3.0 and earlier

IBM Aspera Console 3.0.1 and earlier

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk