CVE-2015-5334 — CRITICAL (9.8)

Q: How severe is CVE-2015-5334?

CVE-2015-5334 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2015-5334?

Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Libressl, Opensuse Opensuse.

Vulnerability Description

Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (program crash) or possible execute arbitrary code via a crafted X.509 certificate, which triggers a stack-based buffer overflow. Note: this vulnerability exists because of an incorrect fix for CVE-2014-3508.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openbsd	Libressl	< 2.3.1
Opensuse	Opensuse	13.2

Related Weaknesses (CWE)

CWE-787

References

http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txtRelease NotesVendor Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00050.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/133998/Qualys-Security-Advisory-LibreSSL-LeExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2015/Oct/75ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/archive/1/archive/1/536692/100/0/threadedBroken Link
http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txtRelease NotesVendor Advisory
http://lists.opensuse.org/opensuse-updates/2015-10/msg00050.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/133998/Qualys-Security-Advisory-LibreSSL-LeExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2015/Oct/75ExploitMailing ListThird Party Advisory
http://www.securityfocus.com/archive/1/archive/1/536692/100/0/threadedBroken Link

FAQ

What is CVE-2015-5334?

CVE-2015-5334 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (program crash) or possible execute arbitrary code via a crafted X.509 certif...

How severe is CVE-2015-5334?

CVE-2015-5334 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2015-5334?

Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Libressl, Opensuse Opensuse.