Lucene search

[email protected]NVD:CVE-2020-1967

HistoryApr 21, 2020 - 2:15 p.m.

CVE-2020-1967

2020-04-2114:15:11

CWE-476

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.081 Low

EPSS

Percentile

94.4%

JSON

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Affected configurations

NVD

Node

opensslopensslRange1.1.1d–1.1.1f

Node

debiandebian_linuxMatch9.0

debiandebian_linuxMatch10.0

Node

freebsdfreebsdMatch12.1-

Node

fedoraprojectfedoraMatch30

fedoraprojectfedoraMatch31

fedoraprojectfedoraMatch32

Node

oracleapplication_serverMatch12.1.3

oracleenterprise_manager_base_platformMatch13.4.0.0

oracleenterprise_manager_for_storage_managementMatch13.3.0.0

oracleenterprise_manager_for_storage_managementMatch13.4.0.0

oracleenterprise_manager_ops_centerMatch12.4.0

oraclehttp_serverMatch12.2.1.4.0

oraclejd_edwards_world_securityMatcha9.4

oraclemysqlRange≤5.6.48

oraclemysqlRange5.7.0–5.7.30

oraclemysqlRange8.0.0–8.0.20

oraclemysql_connectorsRange≤8.0.20

oraclemysql_enterprise_monitorRange≤4.0.12

oraclemysql_enterprise_monitorRange8.0.0–8.0.20

oraclemysql_workbenchRange≤8.0.21

oraclepeoplesoft_enterprise_peopletoolsMatch8.56

oraclepeoplesoft_enterprise_peopletoolsMatch8.57

oraclepeoplesoft_enterprise_peopletoolsMatch8.58

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

Node

netappactive_iq_unified_managerRange7.3≥windows

netappactive_iq_unified_managerRange9.5≥vmware_vsphere

netappe-series_performance_analyzerMatch-

netapponcommand_insightMatch-

netapponcommand_workflow_automationMatch-

netappsmi-s_providerMatch-

netappsnapcenterMatch-

netappsteelstore_cloud_integrated_storageMatch-

broadcomfabric_operating_systemMatch-

Node

opensuseleapMatch15.1

opensuseleapMatch15.2

Node

jdedwardsenterpriseoneRange<9.2.5.0

Node

tenablelog_correlation_engineRange<6.0.9

References

lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html

lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html

packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html

seclists.org/fulldisclosure/2020/May/5

www.openwall.com/lists/oss-security/2020/04/22/2

git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1

github.com/irsl/CVE-2020-1967

kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440

lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/

security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc

security.gentoo.org/glsa/202004-10

security.netapp.com/advisory/ntap-20200424-0003/

security.netapp.com/advisory/ntap-20200717-0004/

www.debian.org/security/2020/dsa-4661

www.openssl.org/news/secadv/20200421.txt

www.oracle.com//security-alerts/cpujul2021.html

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/security-alerts/cpujul2020.html

www.oracle.com/security-alerts/cpuoct2020.html

www.oracle.com/security-alerts/cpuoct2021.html

www.synology.com/security/advisory/Synology_SA_20_05

www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL

www.tenable.com/security/tns-2020-03

www.tenable.com/security/tns-2020-04

www.tenable.com/security/tns-2020-11

www.tenable.com/security/tns-2021-10

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.081 Low

EPSS

Percentile

94.4%

JSON

CVE-2020-1967

Affected configurations

References

Related