Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | mysql56 | 2018-08-22 19:34 | ALAS-2018-1069 |
Amazon Linux 1 | mysql57 | 2018-08-22 19:35 | ALAS-2018-1070 |
Amazon Linux 1 | openssl | 2018-08-22 18:59 | ALAS-2018-1065 |
Amazon Linux 1 | openssl | 2018-12-05 23:20 | ALAS-2018-1102 |
Amazon Linux 2 - Core | openssl | 2018-11-07 22:07 | ALAS2-2018-1102 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
NVD | CVSSv3 | 6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |