Guest

Preview Tool

Cisco Bug: CSCut45987 - MARCH 2015 OpenSSL Vulnerabilities

Last Modified

Aug 03, 2017

Products (1)

  • Cisco IPICS Server Software

Known Affected Releases

4.5(1) 4.5(2) 4.6(1) 4.7(1) 4.8(2) 4.9(1)

Description (partial)

Symptom:
IPICS includes a version of OpenSSL that is affected by the vulnerability identified by the
Common Vulnerability and Exposures (CVE) IDs:

CVE	Title	Severity	IPICS
CVE-2015-0286 	Segmentation fault in ASN1_TYPE_cmp 	Moderate	Vulnerable
CVE-2015-0289 	PKCS7 NULL pointer dereferences 	Moderate	Vulnerable
CVE-2015-0292 	Base64 decode 	Moderate	Vulnerable
CVE-2015-0293 	DoS via reachable assert in SSLv2 servers 	Moderate	Vulnerable

Our version of OpenSSL has these additional vulnerabilities, but they do not apply to how IPICS
uses OpenSSL:
CVE-2015-0291 	OpenSSL 1.0.2 ClientHello sigalgs DoS	High	Not Vulnerable
CVE-2015-0204 	Reclassified: RSA silently downgrades to EXPORT_RSA [Client]	High	Not Vulnerable
CVE-2015-0290 	Multiblock corrupted pointer 	Moderate	Not Vulnerable
CVE-2015-0207 	Segmentation fault in DTLSv1_listen 	Moderate	Not Vulnerable
CVE-2015-0208 	Segmentation fault for invalid PSS parameters 	Moderate	Not Vulnerable
CVE-2015-0287 	ASN.1 structure reuse memory corruption	Moderate	Not Vulnerable
CVE-2015-1787 	Empty CKE with client auth and DHE	Moderate	Not Vulnerable
CVE-2015-0285 	Handshake with unseeded PRNG 	Low	Not Vulnerable
CVE-2015-0209 	Use After Free following d2i_ECPrivatekey error 	Low	Not Vulnerable
CVE-2015-0288 	X509_to_X509_REQ NULL pointer deref 	Low	Not Vulnerable

<B>Conditions:</B>
Exposure is not configuration dependent.

Version IPICS UMS  ISSIG  DFSIG
----------------------------------------------
1.0(1)  NV    -    -      -
2.0(1)  NV    -    -      -
2.1(1)  NV    -    -      -
2.2(1)  NV    -    -      -
4.0(1)  NV    -    -      -
4.0(2)  NV    -    -      -
4.5(1)  NV    NV   V      -
4.5(2)  NV    NV   V      -
4.6(1)  NV    NV   V      NV
4.7(1)  NV    NV   V      NV
4.8(1)  NV    NV   V      NV
4.8(2)  NV    NV   V      NV
4.9(1)  NV    NV   V      NV

Where NV="Not Vulnerable" and V="Vulnerable".
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.