{
  "affected": [],
  "aliases": [
    "CVE-2002-1568"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-11-17T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
  "id": "GHSA-3626-95rf-mfw3",
  "modified": "2022-04-30T18:21:25Z",
  "published": "2022-04-30T18:21:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568"
    },
    {
      "type": "WEB",
      "url": "http://cvs.openssl.org/chngview?cn=7659"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=106511018214983"
    },
    {
      "type": "WEB",
      "url": "http://www.ebitech.sk/patrik/SA/SA-20031002.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated OpenSSL packages are available which fix several serious buffer\noverflow vulnerabilities.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which\nimplements the Secure Sockets Layer (SSL v2/v3) and Transport Layer\nSecurity (TLS v1) protocols as well as a full-strength general purpose\ncryptography library. A security audit of the OpenSSL code sponsored by\nDARPA found several buffer overflows in OpenSSL which affect versions 0.9.7\nand 0.9.6d and earlier:\n\n1. The master key supplied by a client to an SSL version 2 server could be\noversized, causing a stack-based buffer overflow. This issue is remotely\nexploitable. Services that have SSLv2 disabled would not be vulnerable to\nthis issue. (CAN-2002-0656)\n\n2. The SSLv3 session ID supplied to a client from a malicious server could\nbe oversized and overrun a buffer. This issue looks to be remotely\nexploitable. (CAN-2002-0656)\n\n3. Various buffers used for storing ASCII representations of integers were\ntoo small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)\n\nA further issue was found in OpenSSL 0.9.7 that does not affect versions of\nOpenSSL shipped with Red Hat Linux (CAN-2002-0657).\n\nA large number of applications within Red Hat Linux make use the OpenSSL\nlibrary to provide SSL support.  All users are therefore advised to upgrade\nto the errata OpenSSL packages, which contain patches to correct these\nvulnerabilities.\n\nNOTE: \n\nPlease read the Solution section below as it contains instructions for\nmaking sure that all SSL-enabled processes are restarted after the update\nis applied.\n\nThanks go to the OpenSSL team and Ben Laurie for providing patches for\nthese issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2002:157",
        "url": "https://access.redhat.com/errata/RHSA-2002:157"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_157.json"
      }
    ],
    "title": "Red Hat Security Advisory: openssl security update",
    "tracking": {
      "current_release_date": "2024-11-21T22:26:54+00:00",
      "generator": {
        "date": "2024-11-21T22:26:54+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2002:157",
      "initial_release_date": "2002-07-30T10:46:00+00:00",
      "revision_history": [
        {
          "date": "2002-07-30T10:46:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2002-07-26T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:26:54+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                "product": {
                  "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Advanced Server"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2002-0655",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616787"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-0655"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616787",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616787"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0655",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-0655"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655"
        }
      ],
      "release_date": "2002-07-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2002-07-30T10:46:00+00:00",
          "details": "IMPORTANT:\n\nBecause both client and server applications are affected by these\nvulnerabilities, we advise users to reboot their systems after installing\nthese updates.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:157"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-0656",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616788"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-0656"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616788",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616788"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0656",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-0656"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656"
        }
      ],
      "release_date": "2002-07-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2002-07-30T10:46:00+00:00",
          "details": "IMPORTANT:\n\nBecause both client and server applications are affected by these\nvulnerabilities, we advise users to reboot their systems after installing\nthese updates.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:157"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1568",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616924"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1568"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616924",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616924"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1568",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1568"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1568"
        }
      ],
      "release_date": "2003-10-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2002-07-30T10:46:00+00:00",
          "details": "IMPORTANT:\n\nBecause both client and server applications are affected by these\nvulnerabilities, we advise users to reboot their systems after installing\nthese updates.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 "
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:157"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    }
  ]
}

{
  "GSD": {
    "alias": "CVE-2002-1568",
    "description": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
    "id": "GSD-2002-1568",
    "references": [
      "https://access.redhat.com/errata/RHSA-2002:157"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2002-1568"
      ],
      "details": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c.",
      "id": "GSD-2002-1568",
      "modified": "2023-12-13T01:24:10.855296Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2002-1568",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.ebitech.sk/patrik/SA/SA-20031002.txt",
            "refsource": "MISC",
            "url": "http://www.ebitech.sk/patrik/SA/SA-20031002.txt"
          },
          {
            "name": "http://cvs.openssl.org/chngview?cn=7659",
            "refsource": "CONFIRM",
            "url": "http://cvs.openssl.org/chngview?cn=7659"
          },
          {
            "name": "20031002 New OpenSSL remote vulnerability (issue date 2003/10/02)",
            "refsource": "BUGTRAQ",
            "url": "http://marc.info/?l=bugtraq\u0026m=106511018214983"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2002-1568"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://cvs.openssl.org/chngview?cn=7659",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://cvs.openssl.org/chngview?cn=7659"
            },
            {
              "name": "http://www.ebitech.sk/patrik/SA/SA-20031002.txt",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.ebitech.sk/patrik/SA/SA-20031002.txt"
            },
            {
              "name": "20031002 New OpenSSL remote vulnerability (issue date 2003/10/02)",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://marc.info/?l=bugtraq\u0026m=106511018214983"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2016-10-18T02:27Z",
      "publishedDate": "2003-11-17T05:00Z"
    }
  }
}