Information Exposure Affecting openssl package, versions >=1.0.200, <1.0.211


0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High
Expand this section
NVD
5.9 medium
Expand this section
RHEL
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-COCOAPODS-OPENSSL-471080
  • published 2 Oct 2019
  • disclosed 22 Nov 2017
  • credit Unknown

How to fix?

Upgrade OpenSSL to version 1.0.211 or higher.

Overview

OpenSSL is a SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.

Affected versions of this package are vulnerable to Information Exposure. OpenSSL is vulnerable to an overflow error in AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This bug can be used to compromise private key information for certain situations and DH1024.

It does affect processors supporting AVX2 but not ADX extensions (e.g., Intel Haswell (4th generation)). This bug cannot be exploited for EC algorithms.