News and Notes from the Makers of Nexus | Sonatype Blog

OpenSSL Releases New Fix for CVE-2012-2110 ASN1 Bug

Written by Ali Loney | April 24, 2012

April 24, Threatpost – (International) OpenSSL releases new fix for CVE-2012-2110 ASN1 bug. The OpenSSL developers had to re-release the fix for a serious vulnerability in the software’s ASN.1 implementation that could allow an attacker to cause a denial-of-service or potentially run arbitrary code on a remote machine. The updated fix only applies to version 0.9.8v; all of the other previously affected versions are already protected with the existing patch. OpenSSL released the original advisory and fix for the CVE-2012-2110 vulnerability the week of April 16, fixing the bug in versions 0.9.8, 1.0.1a, and 1.0.0i. However, after releasing the fixes, Red Hat discovered the fix for version 0.9.8 did not completely address the vulnerability, hence the new patch. “The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other - 22 - impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key,” according to the description of the bug in the National Vulnerability Database.

Source: http://threatpost.com/en_us/blogs/openssl-releases-new-fix-cve-2012-2110-asn1-bug-042412