The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: denial of service via Recursive ASN.1

Synthesis of the vulnerability 

An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Impacted software: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Broadcom Content Analysis, ProxySG by Symantec, SGOS by Symantec, Debian, Avamar, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, IBM i, Rational ClearCase, QRadar SIEM, Tivoli Storage Manager, WebSphere MQ, Juniper SBR, MariaDB ~ precise, McAfee Email Gateway, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, X2GoClient.
Severity of this computer vulnerability: 2/4.
Creation date: 27/03/2018.
Références of this announce: 2015887, 524146, bulletinjan2019, CERTFR-2018-AVI-155, cpuapr2019, cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-0739, DLA-1330-1, DSA-2018-125, DSA-2020-030, DSA-4157-1, DSA-4158-1, FEDORA-2018-1b4f1158e2, FEDORA-2018-40dc8b8b16, FEDORA-2018-76afaf1961, FEDORA-2018-9490b422e7, ibm10715641, ibm10717211, ibm10717405, ibm10717409, ibm10719319, ibm10733605, ibm10738249, ibm10874728, JSA10990, K08044291, N1022561, openSUSE-SU-2018:0936-1, openSUSE-SU-2018:1057-1, openSUSE-SU-2018:2208-1, openSUSE-SU-2018:2238-1, openSUSE-SU-2018:2524-1, openSUSE-SU-2018:2695-1, PAN-SA-2018-0015, RHSA-2018:3090-01, RHSA-2018:3221-01, SA166, SB10243, SSA-181018, SUSE-SU-2018:0902-1, SUSE-SU-2018:0905-1, SUSE-SU-2018:0906-1, SUSE-SU-2018:0975-1, SUSE-SU-2018:2072-1, SUSE-SU-2018:2158-1, SUSE-SU-2018:2683-1, SUSE-SU-2020:0495-1, Synology-SA-18:51, USN-3611-1, USN-3611-2, VIGILANCE-VUL-25666.

Description of the vulnerability 

An attacker can generate a fatal error via Recursive ASN.1 of OpenSSL, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness impacts software or systems such as Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Broadcom Content Analysis, ProxySG by Symantec, SGOS by Symantec, Debian, Avamar, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, AIX, IBM i, Rational ClearCase, QRadar SIEM, Tivoli Storage Manager, WebSphere MQ, Juniper SBR, MariaDB ~ precise, McAfee Email Gateway, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Palo Alto Firewall PA***, PAN-OS, Percona Server, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu, X2GoClient.

Our Vigil@nce team determined that the severity of this vulnerability note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat 

OpenSSL: version 1.1.0h.
The version 1.1.0h is fixed:
  https://www.openssl.org/

OpenSSL: version 1.0.2o.
The version 1.0.2o is fixed:
  https://www.openssl.org/

AIX: patch for OpenSSL.
A patch is indicated in information sources.

Debian 7: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1t-1+deb7u4

Debian 8/9: new openssl packages.
New packages are available:
  Debian 8: openssl 1.0.1t-1+deb8u8
  Debian 9: openssl 1.1.0f-3+deb9u2

Debian 9: new openssl1.0 packages.
New packages are available:
  Debian 9: openssl1.0 1.0.2l-2+deb9u3

Dell EMC VNXe3200: version 3.1.11.10003441.
The version 3.1.11.10003441 is fixed:
  https://www.dell.com/support/

EMC Avamar Server: solution for OpenSSL.
The solution is indicated in information sources.

F5 BIG-IP: solution for OpenSSL.
The solution is indicated in information sources.

Fedora: new compat-openssl10 packages.
New packages are available:
  Fedora 26: compat-openssl10 1.0.2o-1.fc26
  Fedora 27: compat-openssl10 1.0.2o-1.fc27

Fedora: new openssl packages.
New packages are available:
  Fedora 26: openssl 1.1.0h-1.fc26
  Fedora 27: openssl 1.1.0h-1.fc27

IBM BigFix Platform: patch.
A patch is indicated in information sources.

IBM BigFix Platform: solution.
The solution is indicated in information sources.

IBM BigFix Remote Control: solution for Java.
The solution is indicated in information sources.

IBM Cognos Analytics: version 11.0.13.0.
The version 11.0.13.0 is fixed:
  https://www-01.ibm.com/support/docview.wss?uid=ibm10718809

IBM Cognos Business Intelligence: patch.
A patch is indicated in information sources.

IBM i: patch for OpenSSL.
A patch is indicated in information sources.

IBM MQ: patch for OpenSSL.
A patch is indicated in information sources.

IBM QRadar SIEM: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

IBM Rational ClearCase: solution for OpenSSL.
The solution is indicated in information sources.

IBM Spectrum Protect: solution for OpenSSL.
The solution is indicated in information sources.

Juniper SBR Carrier: versions 8.4.1R13 and 8.5.0R4.
Versions 8.4.1R13 and 8.5.0R4 are fixed:
  https://support.juniper.net/support/

MariaDB: version 10.0.36.
The version 10.0.36 is fixed:
  https://mariadb.com/downloads

MariaDB: version 5.5.61.
The version 5.5.61 is fixed:
  https://mariadb.com/

McAfee Email Gateway: patch for OpenSSH.
A patch is indicated in information sources.

McAfee Email Gateway: solution for OpenSSL.
The solution is indicated in information sources.

openSUSE Leap 15.0: new ovmf packages.
New packages are available:
  openSUSE Leap 15.0: ovmf 2017+git1510945757.b2662641d5-lp150.4.3.1

openSUSE Leap 42.3: new compat-openssl098 packages.
New packages are available:
  openSUSE Leap 42.3: compat-openssl098 0.9.8j-24.1

openSUSE Leap 42.3: new openssl packages.
New packages are available:
  openSUSE Leap 42.3: openssl 1.0.2j-19.1

openSUSE Leap 42.3: new ovmf packages.
New packages are available:
  openSUSE Leap 42.3: ovmf 2017+git1492060560.b6d11d7c46-10.1

openSUSE Leap 42.3: new virtualbox packages.
New packages are available:
  openSUSE Leap 42.3: virtualbox 5.1.36-50.1

openSUSE Leap: new virtualbox packages (27/08/2018).
New packages are available:
  openSUSE Leap 42.3: virtualbox 5.2.18-56.1

Oracle Communications: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2518758.1
  https://support.oracle.com/rs?type=doc&id=2518763.1
  https://support.oracle.com/rs?type=doc&id=2522151.1
  https://support.oracle.com/rs?type=doc&id=2519787.1
  https://support.oracle.com/rs?type=doc&id=2522126.1
  https://support.oracle.com/rs?type=doc&id=2522123.1
  https://support.oracle.com/rs?type=doc&id=2518753.1
  https://support.oracle.com/rs?type=doc&id=2522121.1
  https://support.oracle.com/rs?type=doc&id=2528862.1
  https://support.oracle.com/rs?type=doc&id=2518754.1

Oracle Communications: CPU of January 2019.
A Critical Patch Update is available:
  https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

Oracle Communications: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2559239.1
  https://support.oracle.com/rs?type=doc&id=2563691.1
  https://support.oracle.com/rs?type=doc&id=2559240.1
  https://support.oracle.com/rs?type=doc&id=2559722.1
  https://support.oracle.com/rs?type=doc&id=2559225.1
  https://support.oracle.com/rs?type=doc&id=2559721.1
  https://support.oracle.com/rs?type=doc&id=2559256.1
  https://support.oracle.com/rs?type=doc&id=2559242.1
  https://support.oracle.com/rs?type=doc&id=2559243.1
  https://support.oracle.com/rs?type=doc&id=2559648.1

Oracle Fusion Middleware: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2394520.1

Oracle Fusion Middleware: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2433477.1

Oracle MySQL: version 5.5.61.
The version 5.5.61 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.6.41.
The version 5.6.41 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.23.
The version 5.7.23 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.12.
The version 8.0.12 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle Solaris: patch for third party software of January 2019 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Palo Alto PAN-OS: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

RHEL 7: new openssl packages.
New packages are available:
  RHEL 7: openssl 1.0.2k-16.el7

RHEL 7: new ovmf packages.
New packages are available:
  RHEL 7: ovmf 20180508-3.gitee3198e672e2.el7

stunnel: version 5.45.
The version 5.45 is fixed:
  https://www.stunnel.org/downloads.html

SUSE LE 11: new openssl1 packages.
New packages are available:
  SUSE LE 11 RTM-SP4: openssl1 1.0.1g-0.58.9.1

SUSE LE 11 SP4: new openssl packages.
New packages are available:
  SUSE LE 11 SP4: openssl 0.9.8j-0.106.9.1

SUSE LE 12 RTM: new openssl packages.
New packages are available:
  SUSE LE 12 RTM: openssl 1.0.1i-27.31.1

SUSE LE 12 SP1: new openssl packages.
New packages are available:
  SUSE LE 12 SP1: openssl 1.0.1i-54.11.1

SUSE LE 12 SP2: new ovmf packages.
New packages are available:
  SUSE LE 12 SP2: ovmf 2015+git1462940744.321151f-19.10.3

SUSE LE 12 SP3: new compat-openssl098 packages.
New packages are available:
  SUSE LE 12 SP3: compat-openssl098 0.9.8j-106.6.1

SUSE LE 12 SP3: new ovmf packages.
New packages are available:
  SUSE LE 12 SP3: ovmf 2017+git1492060560.b6d11d7c46-4.9.4

SUSE LE 15: new ovmf packages.
New packages are available:
  SUSE LE 15 RTM: ovmf 2017+git1510945757.b2662641d5-5.3.6

Symantec CA, MA, ProxyAV, ProxySG: solution for OpenSSL.
The solution is indicated in information sources.

Synology DSM: version 6.2.1-23824.
The version 6.2.1-23824 is fixed:
  https://www.synology.com/

Synology RS/DS: version 6.2.1-23824-1.
The version 6.2.1-23824-1 is fixed:
  https://www.synology.com/

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 17.10: libssl1.0.0 1.0.2g-1ubuntu13.4
  Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.11
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.24
  Ubuntu 12.04 ESM: libssl1.0.0 1.0.1-4ubuntu5.40

X2Go Client for Windows: version 4.1.2.2-2020.02.13.
The version 4.1.2.2-2020.02.13 is fixed:
  http://wiki.x2go.org/doku.php/doc:release-notes-mswin:x2goclient-4.1.2.2

X2Go Client: version 4.1.2.0.
The version 4.1.2.0 is fixed:
  https://wiki.x2go.org/doku.php
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability database. The technology watch team tracks security threats targeting the computer system.