ID de Prueba:	1.3.6.1.4.1.25623.1.0.851665
Categoría:	SuSE Local Security Checks
Título:	openSUSE: Security Advisory for openssl (openSUSE-SU-2017:3345-1)
Resumen:	The remote host is missing an update for the 'openssl'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'openssl' package(s) announced via the referenced advisory. Vulnerability Insight: This update for openssl fixes the following issues: - OpenSSL Security Advisory [07 Dec 2017] * CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \'error state\' mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. (bsc#1071905) * CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. (bsc#1071906) This update was imported from the SUSE:SLE-12-SP2:Update update project. Affected Software/OS: openssl on openSUSE Leap 42.3, openSUSE Leap 42.2 Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2017-3737 BugTraq ID: 102103 http://www.securityfocus.com/bid/102103 Debian Security Information: DSA-4065 (Google Search) https://www.debian.org/security/2017/dsa-4065 FreeBSD Security Advisory: FreeBSD-SA-17:02 https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc https://security.gentoo.org/glsa/201712-03 https://www.digitalmunition.me/2017/12/cve-2017-3737-openssl-security-bypass-vulnerability/ https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html RedHat Security Advisories: RHSA-2018:0998 https://access.redhat.com/errata/RHSA-2018:0998 RedHat Security Advisories: RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185 RedHat Security Advisories: RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186 RedHat Security Advisories: RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187 http://www.securitytracker.com/id/1039978 Common Vulnerability Exposure (CVE) ID: CVE-2017-3738 BugTraq ID: 102118 http://www.securityfocus.com/bid/102118 Debian Security Information: DSA-4157 (Google Search) https://www.debian.org/security/2018/dsa-4157 https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11a https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Common Vulnerability Exposure (CVE) ID: CVE-2016-0701 BugTraq ID: 82233 http://www.securityfocus.com/bid/82233 BugTraq ID: 91787 http://www.securityfocus.com/bid/91787 CERT/CC vulnerability note: VU#257823 https://www.kb.cert.org/vuls/id/257823 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759 http://www.openssl.org/news/secadv/20160128.txt http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://git.openssl.org/?p=openssl.git;a=commit;h=878e2c5b13010329c203f309ed0c8f2113f85648 https://git.openssl.org/?p=openssl.git;a=commit;h=c5b831f21d0d29d1e517d139d9d101763f60c9a2 https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03724en_us https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164821 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390893 http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176373.html https://security.gentoo.org/glsa/201601-05 http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html http://www.securitytracker.com/id/1034849 SuSE Security Announcement: openSUSE-SU-2016:0637 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html http://www.ubuntu.com/usn/USN-2883-1 Common Vulnerability Exposure (CVE) ID: CVE-2017-3736 BugTraq ID: 101666 http://www.securityfocus.com/bid/101666 Debian Security Information: DSA-4017 (Google Search) https://www.debian.org/security/2017/dsa-4017 Debian Security Information: DSA-4018 (Google Search) https://www.debian.org/security/2017/dsa-4018 https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871 RedHat Security Advisories: RHSA-2018:2568 https://access.redhat.com/errata/RHSA-2018:2568 RedHat Security Advisories: RHSA-2018:2575 https://access.redhat.com/errata/RHSA-2018:2575 RedHat Security Advisories: RHSA-2018:2713 https://access.redhat.com/errata/RHSA-2018:2713 http://www.securitytracker.com/id/1039727 Common Vulnerability Exposure (CVE) ID: CVE-2017-3732 BugTraq ID: 95814 http://www.securityfocus.com/bid/95814 https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc https://security.gentoo.org/glsa/201702-07 https://github.com/openssl/openssl/commit/a59b90bf491410f1f2bc4540cc21f1980fd14c5b http://www.securitytracker.com/id/1037717 Common Vulnerability Exposure (CVE) ID: CVE-2015-3193 BugTraq ID: 78705 http://www.securityfocus.com/bid/78705 Cisco Security Advisory: 20151204 Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html http://www.securitytracker.com/id/1034294 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.539966 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.754583 http://www.ubuntu.com/usn/USN-2830-1
Copyright	Copyright (C) 2017 Greenbone Networks GmbH

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.