CVE-2015-3195 — MEDIUM (5.3)

Q: How severe is CVE-2015-3195?

CVE-2015-3195 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-3195?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Mac Os X, Oracle Api Gateway, Oracle Communications Webrtc Session Controller, Oracle Exalogic Infrastructure, Oracle Http Server.

Vulnerability Description

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Apple	Mac Os X	< 10.11.4
Oracle	Api Gateway	11.1.2.3.0
Oracle	Communications Webrtc Session Controller	7.0
Oracle	Exalogic Infrastructure	1.0
Oracle	Http Server	11.5.10.2
Oracle	Life Sciences Data Hub	2.1
Oracle	Sun Ray Software	11.1
Oracle	Transportation Management	6.1
Oracle	Vm Server	3.2
Oracle	Vm Virtualbox	< 4.3.36
Oracle	Integrated Lights Out Manager Firmware	>= 3.0, <= 4.0.4
Oracle	Linux	5
Oracle	Solaris	10
Openssl	Openssl	< 0.9.8zh
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Server Aus	7.2
Redhat	Enterprise Linux Server Tus	7.2
Redhat	Enterprise Linux Workstation	5.0
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-200

References

http://fortiguard.com/advisory/openssl-advisory-december-2015Broken Link
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10733Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761Third Party Advisory
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.hThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-12/msg00071.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-12/msg00087.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-12/msg00103.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=145382583417444&w=2Mailing ListThird Party Advisory
http://openssl.org/news/secadv/20151203.txtVendor Advisory

FAQ

What is CVE-2015-3195?

CVE-2015-3195 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_A...

How severe is CVE-2015-3195?

CVE-2015-3195 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3195?

Check the references section above for vendor advisories and patch information. Affected products include: Apple Mac Os X, Oracle Api Gateway, Oracle Communications Webrtc Session Controller, Oracle Exalogic Infrastructure, Oracle Http Server.