Vulnerability Description
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | <= 0.9.8h |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
- http://marc.info/?l=bugtraq&m=123859864430555&w=2
- http://marc.info/?l=bugtraq&m=124277349419254&w=2
- http://marc.info/?l=bugtraq&m=127678688104458&w=2
- http://secunia.com/advisories/33338Vendor Advisory
- http://secunia.com/advisories/33394
- http://secunia.com/advisories/33436Vendor Advisory
- http://secunia.com/advisories/33557Vendor Advisory
- http://secunia.com/advisories/33673Vendor Advisory
- http://secunia.com/advisories/33765Vendor Advisory
- http://secunia.com/advisories/34211Vendor Advisory
- http://secunia.com/advisories/35074Vendor Advisory
- http://secunia.com/advisories/35108Vendor Advisory
FAQ
What is CVE-2008-5077?
CVE-2008-5077 is a vulnerability with a CVSS score of 5.8 (MEDIUM). OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/T...
How severe is CVE-2008-5077?
CVE-2008-5077 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-5077?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl.