Detections
Analytics
Amazon Linux AMI : openssl (ALAS-2015-614)
high Nessus Plugin ID 87340
Language:
Synopsis
The remote Amazon Linux AMI host is missing a security update.Description
A NULL pointer derefernce flaw was found in the way OpenSSL verified signatures using the RSA PSS algorithm. A remote attacked could possibly use this flaw to crash a TLS/SSL client using OpenSSL, or a TLS/SSL server using OpenSSL if it enabled client authentication.(CVE-2015-3194)
A memory leak vulnerability was found in the way OpenSSL parsed PKCS#7 and CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to use an excessive amount of memory and possibly crash. (CVE-2015-3195)
A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared key (PSK) identify hints. A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client using OpenSSL. (CVE-2015-3196)
Solution
Run 'yum update openssl' to update your system.See Also
Plugin Details
Severity: High
ID: 87340
File Name: ala_ALAS-2015-614.nasl
Version: 2.10
Type: local
Agent: unix
Published: 12/15/2015
Updated: 4/18/2018
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Information
CPE: p-cpe:/a:amazon:linux:openssl, p-cpe:/a:amazon:linux:openssl-debuginfo, p-cpe:/a:amazon:linux:openssl-devel, p-cpe:/a:amazon:linux:openssl-perl, p-cpe:/a:amazon:linux:openssl-static, cpe:/o:amazon:linux
Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list
Patch Publication Date: 12/14/2015
Reference Information
CVE: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
ALAS: 2015-614