/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */
'While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.'
This issue affects ClearOS 7 and ClearOS 6.
The flaw of this issue requires special requirements unlikely in ClearOS. Unless you have have specially created a certificate that uses uncommon SSL extensions, you will not be affected by this flaw. Even so, if you have, it doesn't do anything useful since it produces garbled data that is public in nature.
This vulnerability is more of a flaw than a exploitable vulnerability since the impact is only garbled data. To perform this vulnerability the user must use OpenSSL to display a local or remote certificate and the certificate MUST use an uncommon IPAdressFamily extension. The likelihood of this is low since most certificate providers do NOT provide uncommon extensions. In addition, all certificates on this system are typically self-signed or 3rd party provided so the likelihood of even managing this exploit is minimal since neither provide the aforementioned uncommon IPAddressFamily extension. (See RFC3779)
This flaw does not provide an impact of availability of service nor does it provide a mechanism for denial of service. To implement, one must specially craft a certificate that produced the uncommon extension. This is unlikely.
If you have crafted a certificate with an uncommon IPAddressFamily, please replace it.