CVE-2015-3195
high-risk
Published 2015-12-06
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
Do I need to act?
~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Life Sciences Data Hub
Sun Ray Software
References (94)
Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10733
Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.h...
Mailing List
http://marc.info/?l=bugtraq&m=145382583417444&w=2
Vendor Advisory
http://openssl.org/news/secadv/20151203.txt
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-2616.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-2617.html
Broken Link
http://rhn.redhat.com/errata/RHSA-2016-2056.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2957.html
Third Party Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20...
and 74 more references
54
/ 100
high-risk
Severity
21/34 · High
Exploitability
7/34 · Low
Exposure
26/34 · High