CVE-2015-8036 — MEDIUM (6.8)

Q: How severe is CVE-2015-8036?

CVE-2015-8036 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-8036?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Polarssl Polarssl, Debian Debian Linux, Fedoraproject Fedora, Opensuse Opensuse.

Vulnerability Description

Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Arm	Mbed Tls	>= 1.3.0, < 1.3.14
Polarssl	Polarssl	<= 1.2.17
Debian	Debian Linux	7.0
Fedoraproject	Fedora	21
Opensuse	Opensuse	13.2

Related Weaknesses (CWE)

CWE-119

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.htMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.htmlMailing ListThird Party Advisory
http://www.debian.org/security/2016/dsa-3468Mailing ListThird Party Advisory
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdfThird Party Advisory
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.htMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.htmlMailing ListThird Party Advisory
http://www.debian.org/security/2016/dsa-3468Mailing ListThird Party Advisory
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdfThird Party Advisory
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/Third Party Advisory
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-Vendor Advisory

FAQ

What is CVE-2015-8036?

CVE-2015-8036 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbit...

How severe is CVE-2015-8036?

CVE-2015-8036 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-8036?

Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Polarssl Polarssl, Debian Debian Linux, Fedoraproject Fedora, Opensuse Opensuse.