CVE-2015-1793

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Published : 2015-07-09 19:17 Updated : 2018-11-30 21:30

6.4
CVSS Score More info
Score 6.4 / 10
6.4
Vendor Product Version URI
Oracle Supply Chain Products Suite 6.2.0 cpe:/a:oracle:supply_chain_products_suite:6.2.0
Openssl Openssl 1.0.1n cpe:/a:openssl:openssl:1.0.1n
Oracle Jd Edwards Enterpriseone Tools 9.2 cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2
Openssl Openssl 1.0.1o cpe:/a:openssl:openssl:1.0.1o
Oracle Jd Edwards Enterpriseone Tools 9.1 cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.1
Oracle Opus 10g Ethernet Switch Family 2.0.0.6 cpe:/o:oracle:opus_10g_ethernet_switch_family:2.0.0.6
Openssl Openssl 1.0.2b cpe:/a:openssl:openssl:1.0.2b
Openssl Openssl 1.0.2c cpe:/a:openssl:openssl:1.0.2c
Oracle Supply Chain Products Suite 6.1.2.2 cpe:/a:oracle:supply_chain_products_suite:6.1.2.2
Oracle Supply Chain Products Suite 6.1.3.0 cpe:/a:oracle:supply_chain_products_suite:6.1.3.0
  1. Oracle (3) Search CVE
    1. Opus 10g Ethernet Switch Family (1) Search CVE
      1. 2.0.0.6
    2. Jd Edwards Enterpriseone Tools (2) Search CVE
      1. 9.2
      2. 9.1
    3. Supply Chain Products Suite (3) Search CVE
      1. 6.2.0
      2. 6.1.2.2
      3. 6.1.3.0
  2. Openssl (1) Search CVE
    1. Openssl (4) Search CVE
      1. 1.0.1n
      2. 1.0.1o
      3. 1.0.2b
      4. 1.0.2c

CWE

ID Name Description Links
CWE-254 Security Features Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. CVE

References

Source Link
BID http://www.securityfocus.com/bid/91787
SECTRACK http://www.securitytracker.com/id/1032817
CONFIRM http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
NETBSD http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
CONFIRM http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161747.html
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161782.html
HP http://marc.info/?l=bugtraq&m=144370846326989&w=2
CONFIRM http://openssl.org/news/secadv_20150709.txt
CISCO http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl
CONFIRM http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
CONFIRM http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
BID http://www.securityfocus.com/bid/75652
SLACKWARE http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.561427
CONFIRM http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454058.htm
CONFIRM https://git.openssl.org/?p=openssl.git;a=commit;h=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8
CONFIRM https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04822825
CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763
CONFIRM https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351
CONFIRM https://kc.mcafee.com/corporate/index?page=content&id=SB10125
GENTOO https://security.gentoo.org/glsa/201507-15
FREEBSD https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc
EXPLOIT-DB https://www.exploit-db.com/exploits/38640/
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
HP http://marc.info/?l=bugtraq&m=143880121627664&w=2
CONFIRM https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes