CVE-2015-0285

Summary

CVE	CVE-2015-0285
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-03-19 22:59:00 UTC
Updated	2023-11-07 02:23:00 UTC
Description	The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.

Risk And Classification

Problem Types: CWE-310

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	1.0.2	All	All	All
Application	Openssl	Openssl	1.0.2	beta1	All	All
Application	Openssl	Openssl	1.0.2	beta2	All	All
Application	Openssl	Openssl	1.0.2	beta3	All	All
Application	Openssl	Openssl	1.0.2	All	All	All
Application	Openssl	Openssl	1.0.2	beta1	All	All
Application	Openssl	Openssl	1.0.2	beta2	All	All
Application	Openssl	Openssl	1.0.2	beta3	All	All

References

Reference	Source	Link	Tags
1202410 – (CVE-2015-0285) CVE-2015-0285 openssl: handshake with unseeded PRNG	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
git.openssl.org Git - openssl.git/commit		git.openssl.org
FortiGuard	CONFIRM	www.fortiguard.com	Third Party Advisory
Oracle Critical Patch Update - October 2015	CONFIRM	www.oracle.com	Third Party Advisory
Gentoo Security	GENTOO	security.gentoo.org	Third Party Advisory
Oracle Critical Patch Update - July 2015	CONFIRM	www.oracle.com	Third Party Advisory
'[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities' - MARC	HP	marc.info	Mailing List, Third Party Advisory
git.openssl.org Git - openssl.git/commit	CONFIRM	git.openssl.org	Vendor Advisory
www.openssl.org/news/secadv_20150319.txt	CONFIRM	www.openssl.org	Vendor Advisory
'[security bulletin] HPSBMU03397 rev.1 - HP Version Control Agent (VCA) on Windows and Linux, Multipl' - MARC	HP	marc.info	Mailing List, Third Party Advisory
cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf	CONFIRM	cert-portal.siemens.com
OpenSSL CVE-2015-0285 Insufficient Entropy Security Weakness	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
OpenSSL Multiple Flaws Let Remote Users Deny Service - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
'[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Mu' - MARC	HP	marc.info	Mailing List, Third Party Advisory
Oracle Solaris Third Party Bulletin - April 2015	CONFIRM	www.oracle.com	Third Party Advisory
Broadcom Support Portal	CONFIRM	bto.bluecoat.com	Third Party Advisory
Oracle Critical Patch Update - October 2017	CONFIRM	www.oracle.com	Patch, Third Party Advisory
McAfee KnowledgeBase - Intel Security - Security Bulletin: Fourteen OpenSSL CVEs Announced on March 19, 2015	CONFIRM	kc.mcafee.com	Third Party Advisory
Oracle Critical Patch Update - January 2016	CONFIRM	www.oracle.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

590349 Rockwell Automation Stratix 5900 Multiple Vulnerabilities (ICSA-17-094-04)
591280 Siemens SCALANCE X-200RNA Switch Devices Denial of Service (DoS) Multiple Vulnerabilities (ICSA-22-349-21, SSA-412672)