The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: NULL pointer dereference via SSL_check_chain

Synthesis of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via SSL_check_chain() of OpenSSL, in order to trigger a denial of service.
Vulnerable products: Debian, FreeBSD, hMailServer, IBM i, QRadar SIEM, Juniper SBR, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, WebLogic, Percona Server, Pulse Secure SBR, Puppet, Python, SUSE Linux Enterprise Desktop, SLES, Nessus, WinSCP.
Severity of this weakness: 3/4.
Creation date: 21/04/2020.
Revision date: 05/05/2020.
Références of this bulletin: 6235728, 6409294, bulletinjul2020, CERTFR-2020-AVI-235, cpujul2020, cpuoct2020, CVE-2020-1967, DSA-4661-1, FreeBSD-SA-20:11.openssl, JSA11074, openSUSE-SU-2020:0933-1, openSUSE-SU-2020:0945-1, SUSE-SU-2020:1058-1, SUSE-SU-2020:2041-1, VIGILANCE-VUL-32076.

Description of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via SSL_check_chain() of OpenSSL, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Debian, FreeBSD, hMailServer, IBM i, QRadar SIEM, Juniper SBR, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, WebLogic, Percona Server, Pulse Secure SBR, Puppet, Python, SUSE Linux Enterprise Desktop, SLES, Nessus, WinSCP.

Our Vigil@nce team determined that the severity of this computer weakness alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this computer vulnerability.

Solutions for this threat 

OpenSSL: version 1.1.1g.
The version 1.1.1g is fixed:
  https://www.openssl.org/source/openssl-1.1.1g.tar.gz

Debian 10: new openssl packages.
New packages are available:
  Debian 10: openssl 1.1.1d-0+deb10u3

FreeBSD: patch for openssl.
A patch is available:
  https://security.FreeBSD.org/patches/SA-20:11/openssl.patch

hMailServer: version 5.6.8 Build 2501.
The version 5.6.8 Build 2501 is fixed:
  https://www.hmailserver.com/download_getfile/?performdownload=1&downloadid=268

IBM i: patch for OpenSSL.
A patch is indicated in information sources.

IBM QRadar SIEM: fixed versions for IBM Security QRadar Analyst Workflow.
Fixed versions are indicated in information sources.

Juniper Networks SBR Carrier: fixed versions for Third-party Software.
Fixed versions are indicated in information sources.

Juniper Networks SBR Carrier: versions 8.5.0-R17 and 8.6.0-R12.
Versions 8.5.0-R17 and 8.6.0-R12 are fixed:
  https://www.juniper.net/support/downloads/

MariaDB: versions 10.1.46, 10.2.33, 10.3.24, 10.4.14 and 10.5.5.
Versions 10.1.46, 10.2.33, 10.3.24, 10.4.14 and 10.5.5 are fixed:
  https://downloads.mariadb.org/mariadb/10.5.5
  https://downloads.mariadb.org/mariadb/10.4.14
  https://downloads.mariadb.org/mariadb/10.3.24
  https://downloads.mariadb.org/mariadb/10.2.33
  https://downloads.mariadb.org/mariadb/10.1.46

Node Core: version 12.16.3.
The version 12.16.3 is fixed:
  https://nodejs.org/en/download/

Node Core: version 14.1.0.
The version 14.1.0 is fixed:
  https://nodejs.org/en/download/current/

openSUSE Leap 15.1: new rust packages.
New packages are available:
  openSUSE Leap 15.1: rust 1.43.1-lp151.5.13.1

openSUSE Leap 15.2: new rust packages.
New packages are available:
  openSUSE Leap 15.2: rust 1.43.1-lp152.3.5.1

Oracle Fusion Middleware: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle MySQL: version 5.6.49.
The version 5.6.49 is fixed:
  https://support.oracle.com/rs?type=doc&id=2683189.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.31.
The version 5.7.31 is fixed:
  https://support.oracle.com/rs?type=doc&id=2683189.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.21.
The version 8.0.21 is fixed:
  https://support.oracle.com/rs?type=doc&id=2683189.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle Solaris: patch for third party software of January 2021 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle Solaris: patch for third party software of July 2020 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Percona Server for MySQL: version 5.6.49-89.0.
The version 5.6.49-89.0 is fixed:
  https://www.percona.com/

Puppet Platform: version 5.5.20.
The version 5.5.20 is fixed:
  https://puppet.com/
  https://puppet.com/docs/puppet/5.5/release_notes.html

Puppet Platform: version 6.15.0.
The version 6.15.0 is fixed:
  https://puppet.com/
  https://puppet.com/docs/puppet/latest/release_notes_puppet.html

Python: version 3.8.3.
The version 3.8.3 is fixed:
  https://www.python.org/downloads/release/python-383/

SUSE LE 12: new openssl-1_1 packages.
New packages are available:
  SUSE LE 12 SP5: libopenssl1_1 1.1.1d-2.23.1
  SUSE LE 12 SP4: libopenssl1_1 1.1.1d-2.23.1, openssl-1_1 1.1.1d-2.23.1

SUSE LE 15 SP1-2: new rust packages.
New packages are available:
  SUSE LE 15 SP2: rust 1.43.1-12.1

Tenable Nessus: version 8.10.1.
The version 8.10.1 is fixed.

Wind River Linux: version 10.18.44.17.
The version 10.18.44.17 is fixed:
  https://support2.windriver.com/

Wind River Linux: version 10.19.45.7.
The version 10.19.45.7 is fixed:
  https://support2.windriver.com/

WinSCP: version 5.17.4.
The version 5.17.4 is fixed:
  https://winscp.net/download/WinSCP-5.17.4-Setup.exe
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities.