CVE-2011-3207

CVE	CVE-2011-3207
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2011-09-22 10:55:00 UTC
Updated	2014-03-26 04:22:00 UTC
Description	crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.

Problem Types: CWE-264

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0	beta1	All	All
Application	Openssl	Openssl	1.0.0	beta2	All	All
Application	Openssl	Openssl	1.0.0	beta3	All	All
Application	Openssl	Openssl	1.0.0	beta4	All	All
Application	Openssl	Openssl	1.0.0	beta5	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0	beta1	All	All
Application	Openssl	Openssl	1.0.0	beta2	All	All
Application	Openssl	Openssl	1.0.0	beta3	All	All
Application	Openssl	Openssl	1.0.0	beta4	All	All
Application	Openssl	Openssl	1.0.0	beta5	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All

Reference	Source	Link	Tags
Security Advisory SA57353 - IBM Storage System DS8870 OpenSSL Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
IBM Security Bulletin: Storage HMC OpenSSL upgrade to address cryptographic vulnerabilities. - United States	CONFIRM	www-01.ibm.com
Bug 736087 – CVE-2011-3207 openssl: CRL verification vulnerability	CONFIRM	bugzilla.redhat.com
openssl.org/news/secadv_20110906.txt	CONFIRM	openssl.org	Vendor Advisory
[SECURITY] Fedora 18 Update: mingw-openssl-1.0.1c-1.fc18	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 16 Update: openssl-1.0.0e-1.fc16	FEDORA	lists.fedoraproject.org
'[security bulletin] HPSBMU02752 SSRT100802 rev.1 HP Insight Control Software for Linux (IC-Linux), R' - MARC	HP	marc.info
Support	REDHAT	www.redhat.com
[SECURITY] Fedora 14 Update: openssl-1.0.0e-1.fc14	FEDORA	lists.fedoraproject.org
Fedora update for openssl - Secunia.com	SECUNIA	secunia.com
APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002	APPLE	lists.apple.com
OpenSSL ECDH Ciphersuite and CRL Update Bugs Lets Remote Users Deny Service and Bypass CRL Updates - SecurityTracker	SECTRACK	www.securitytracker.com
Support / Security / Advisories / / MDVSA-2011:137 \| Mandriva	MANDRIVA	www.mandriva.com
cvs.openssl.org/chngview	CONFIRM	cvs.openssl.org	Patch
About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002	CONFIRM	support.apple.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)