CVE-2008-1672

Summary

CVE	CVE-2008-1672
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-05-29 16:32:00 UTC
Updated	2022-02-02 15:03:00 UTC
Description	OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference.

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	8.04	All	All	All
Application	Openssl	Openssl	0.9.8f	All	All	All
Application	Openssl	Openssl	0.9.8g	All	All	All
Application	Openssl Project	Openssl	0.9.8f	All	All	All
Application	Openssl Project	Openssl	0.9.8g	All	All	All
Application	Openssl Project	Openssl	0.9.8f	All	All	All
Application	Openssl Project	Openssl	0.9.8g	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 9 Update: openssl-0.9.8g-9.fc9	FEDORA	www.redhat.com
OpenSSL: Denial of Service — Gentoo Linux Documentation	GENTOO	security.gentoo.org
OpenSSL Multiple Denial of Service Vulnerabilities	BID	www.securityfocus.com	Patch
OpenSSL Two Denial of Service Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com	Vendor Advisory
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
CERT-FI - CERT-FI Vulnerability Advisory on OpenSSL	MISC	cert.fi
Nortel Media Processing Server OpenSSL Multiple Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
The Slackware Linux Project: Slackware Security Advisories	SLACKWARE	slackware.com
www.openssl.org/news/secadv_20080528.txt	CONFIRM	www.openssl.org
US-CERT Vulnerability Note VU#520586	CERT-VN	www.kb.cert.org	US Government Resource
Webmail - OVH	VUPEN	www.vupen.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
Support / Security / Advisories / / MDVSA-2008:107 \| Mandriva	MANDRIVA	www.mandriva.com
Ubuntu update for openssl - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
OpenSSL TLS Handshake Bug Lets Remote Servers Crash the Connected Client - SecurityTracker	SECTRACK	www.securitytracker.com
Gentoo update for openssl - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Fedora update for openssl - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
cwRsync OpenSSL Denial of Service Vulnerabilities - Advisories - Secunia	SECUNIA	secunia.com
Webmail - OVH	VUPEN	www.vupen.com
support.nortel.com/go/main.jsp	MISC	support.nortel.com
Slackware update for openssl - Advisories - Secunia	SECUNIA	secunia.com
SourceForge.net: SysAdmin Tools from ITeF!x: Files	CONFIRM	sourceforge.net
USN-620-1: OpenSSL vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2008-05-30	Mark J Cox	Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Legacy QID Mappings

390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)