Vulnerability Details : CVE-2012-2131
Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.
Vulnerability category: OverflowMemory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2012-2131
Probability of exploitation activity in the next 30 days: 9.72%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-2131
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2012-2131
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-2131
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/75099
OpenSSL ASN.1 code execution CVE-2012-2131 Vulnerability Report
-
http://www.mandriva.com/security/advisories?name=MDVSA-2012:064
mandriva.com
-
http://www.securitytracker.com/id?1026957
OpenSSL asn1_d2i_read_bio() Buffer Overflow Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
http://support.apple.com/kb/HT5784
About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002 - Apple Support
-
http://www.openssl.org/news/secadv_20120424.txt
Vendor Advisory
-
http://marc.info/?l=bugtraq&m=134039053214295&w=2
'[security bulletin] HPSBOV02793 SSRT100891 rev.1 - HP OpenVMS running SSL, Remote Denial of Service' - MARC
-
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
Security Bulletin: Storage HMC OpenSSL upgrade to address cryptographic vulnerabilities.
-
http://cvs.openssl.org/chngview?cn=22479
-
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Apple - Lists.apple.com
-
http://www.openwall.com/lists/oss-security/2012/04/24/1
oss-security - Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)
-
http://www.debian.org/security/2012/dsa-2454
Debian -- Security Information -- DSA-2454-2 openssl
-
http://www.ubuntu.com/usn/USN-1428-1
USN-1428-1: OpenSSL vulnerability | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00015.html
[security-announce] SUSE-SU-2012:0637-1: important: Security update for
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
Juniper Networks - 2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates.
-
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00014.html
[security-announce] SUSE-SU-2012:0623-1: important: Security update for
-
http://www.securityfocus.com/bid/53212
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
-
http://marc.info/?l=bugtraq&m=133728068926468&w=2
'[security bulletin] HPSBUX02782 SSRT100844 rev.1 - HP-UX Running OpenSSL, Remote Denial of' - MARC
-
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00007.html
[security-announce] SUSE-SU-2012:1149-1: important: Security update for
Products affected by CVE-2012-2131
- cpe:2.3:a:openssl:openssl:0.9.8v:*:*:*:*:*:*:*